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SPECIAL  FOCUS 

Hottest  IT  skill? 
Cybersecurity 


THE  POTENTIAL  game 
changing  technology  that 
surrounds  software-defined 
networking  will  be  center 
stage  at  Interop  this  week 
with  high-profile  product 
introductions,  technology 
demos  and  information  ses¬ 
sions  all  set  to  roll. 

While  mobility,  cloud  computing,  security  and  busi¬ 
ness  collaboration  tools  are  expected  to  be  introduced  at 
the  show  in  Las  Vegas,  which  will  see  an  estimated  13,000 
attendees  and  350  exhibitors,  SDN  will  be  showcased  by 
multiple  participants.  Arista  Networks,  for  example,  will 
demonstrate  how  to  build  a  software-defined  cloud  net¬ 
work  using  its  data  center  switches  and  controllers  from 
partners  VMware,  Big  Switch  and  Nebula. 

►  See  Interop, page  13 


EMBATTLED  BY  hactivists,  cybercriminals  and  foreign 
rivals  seeking  to  steal  proprietary  information,  U.S.  corpo¬ 
rations  are  ramping  up  hiring  of  cybersecurity  experts,  with 
open  jobs  reaching  an  all-time  high  in  April. 

The  need  for  cybersecurity  experts  spans  all  industries, 
from  financial  services,  manufacturing  and  utilities  to 
healthcare  and  retail.  Among  the  major  U.S.  companies  try¬ 
ing  to  fill  cybersecurity- related  positions  are  Boeing,  Baylor 
Health  Care  System,  Verisign  and  Office  Depot. 

Cybersecurity  jobs  also  are  plentiful  in  the  U.S.  federal 
government  market.  For  example,  the  Energy  Depart¬ 
ment’s  Idaho  National  Lab  is  seeking  a  senior  cybersecu¬ 
rity  researcher  to  support  its  lead  nuclear  research  and 

development  facility.  .  „  .  .  .. 

^  J  ►  Sec  Cybersecurity,  page  22 
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Interop  to  put  SDN 
under  the  spotlight 
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the  plug-and-play  way. 

With  numerous  hardware,  software  and  networking  options 
to  choose  from,  virtualization  can  be  a  really  complex  process. 
The  new  IBM  BladeCenter®  Foundation  for  Cloud  with  Intel® 
Xeon®  processors  changes  all  that,  dramatically. 

It’s  a  workload-ready  platform  with  built-in  management, 
so  it’s  quick  to  deploy  and  easy  to  manage.  Also,  the  system 
integrates  seamlessly  with  your  existing  infrastructure.  So  you 
can  get  started  at  once,  without  wasting  precious  resources. 

In  addition,  you  have  the  option  to  transition  to  the  cloud  on 
your  terms,  not  on  your  vendor’s.  For  improved  business  agility 
and  reduced  IT  costs,  look  to  the  IBM  BladeCenter  Foundation 
for  Cloud. 


Take  10  minutes  to  see  for  yourself. 

See  how  the  IBM  BladeCenter  Foundation  for  Cloud  makes  things 
easy  for  you.  Visit  ibm.com/systems/foundation 


IBM,  the  IBM  logo,  ibmcom  and  BladeCenter  are  trademarks  of  International  Business  Machines  Corp,  registered  in  many  jurisdictions  worldwide. 
Other  product  and  service  names  might  be  trademarks  of  IBM  or  other  companies.  A  current  list  of  IBM  trademarks  is  available  on  the  Web  at 
www.ibm.com/legal/copytradeshtml.  Intel,  the  Intel  logo,  Xeon  and  Xeon  Inside  are  trademarks  of  Intel  Corporation  in  the  US.  and  other  countries 
©  International  Business  Machines  Corporation  2011.  All  rights  reserved. 
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can’t  this... 


work  like  this? 


Well,  now  it  can. 

A  Meru  WLAN  restores  your  power 
of  control  and  freedom  of  choice, 
freeing  you  from  the  limitations  of 
traditional  networks  by  giving  you 
virtually  wire-like  quality,  radically 
easier  management,  and  the  ability 
to  add  on  nearly  unlimited  devices. 
Scalability,  flexibility,  and  simplicity 
are  yours.  Regain  control  of  your 
Wi-Fi  network  at  merunetworks.com 


2012  Meru  Networks.  All  Rights  Reserved. 

I  other  trademarks,  trade  names,  or  service  marks  are  the  property  ot  their  respective  owners. 


Wi-Fi  without  the  WHY. 


FROM  THE  EDITOR  JOHN  DIX 


8  Bits  Comments, 
Blogs  and  Online 


Don’t  flush  privacy  in 
the  name  of  security 

On  the  face  of  it,  the  Cyber  Intelligence  Sharing 
and  Protection  Act  (CISPA)  that  the  U.S.  House 
of  Representatives  just  passed  seems  to  address 
the  long-held  notion  that 
encouraging  private  and  pub¬ 
lic  sector  concerns  to  share 
security  information  will 
improve  our  general  security. 

And  while  the  goal  of  CISPA  is  noble  and  the  need 
warranted  (even  coveted  by  some  enterprises  looking  for 
a  way  to  share  information  while  reducing  legal  liabil¬ 
ity),  the  devil  is  in  the  details,  and  unfortunately  CISPA 
goes  too  far  in  terms  of  trading  off  our  liberties. 

CISPA,  which  passed  the  House  by  a  vote  of 248  to  168,  would  lead  to  the  estab¬ 
lishment  of  “procedures  to  allow  elements  of  the  intelligence  community  to  share 
cyber  threat  intelligence  with  private-sector  entities  and  utilities  and  to  encourage 
the  sharing  of  such  intelligence.” 

The  bill  identifies  types  of  data  the  federal  government  will  not  be  able  to  share, 
including  library  usage  and  book  purchase  records,  and  firearm,  tax,  education 
and  medical  records.  And  it  would  limit  the  government  to  using  cyberthreat 
information  for:  cybersecurity,  cybersecurity  crimes,  protection  of  individuals 
from  death  or  bodily  harm,  risk  of  sexual  exploitation  (such  as  child  pornography) 
and  national  security. 

The  effort  to  focus  the  goal  on  information  sharing  while  preventing  abuse  could 
be  why  the  bill  has  received  the  backing  of  tech  giants  such  as  IBM,  AT&T,  Oracle 
and  Symantec.  As  Facebook  says  in  a  letter  to  Congress,  “Your  legislation  removes 
burdensome  rules  that  currently  can  inhibit  protection  of  the  cyber  ecosystem,  and 
helps  provide  a  more  established  structure  for  sharing  within  the  cyber  commu¬ 
nity  while  still  respecting  the  privacy  rights ...  of  users”  (see  tinyurl.com/7qh2zg4). 

But  CISPA  detractors,  a  list  that  includes  the  Electronic  Frontier  Foundation  and 
the  ACLU,  say  the  terms  of  use  are  too  broad  (a  lot  can  be  covered  in  “cybersecu¬ 
rity”)  to  safeguard  citizens’  right  to  privacy.  More  concerning:  CISPA  would  allow 
companies  to  share  information  with  government  military  entities,  including  the 
National  Security  Agency,  and  then  protect  the  companies  who  shared  the  infor¬ 
mation  from  citizen  lawsuits  if  someone  cries  foul. 

CISPA  even  spooks  GOP  presidential  candidate  Ron  Paul,  who  said  in  a  speech: 
CISPA  “permits  both  the  federal  government  and  private  companies  to  view  your 
private  online  communications  with  no  judicial  oversight ...  It  permits  them  to 
hand  over  your  private  communications ...  without  a  warrant,  circumventing  the 
well-known  established  federal  laws  like  the  Wiretap  Act  and  the  Electronic  Com¬ 
munications  Privacy  Act”  (see  tinyurl.com/7muxqw5). 

CISPA,  while  seemingly  good  for  business,  is  bad  business.  Hopefully  the 
Senate,  which  is  working  on  its  own  version  (the  Cybersecurity  Act  of  2012),  will 
address  the  shortcomings. 
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The  Linux  desktop:  Force  or  flop? 

©  WHAT  A  THINLY  researched  article  for 
such  a  boisterous  headline  (Re:  “Why 
Linux  is  a  desktop  flop”:  page  20). 

The  cost  of  the  computing  platform  is 
not  the  reason  that  Linux  lags  others  on 
the  desktop  level.  The  ultimate  answer 
and  reason  that  Linux  is  not  prominent 
on  the  desktop  is  marketing.  There  is  no 
real  marketing  budget  for  Linux. 

There  is  a  big  difference  in  the  game 
environment,  but  that’s  gaming,  and  Net¬ 
work  World  is  about  business  computing, 
isn’t  it?  Linux  succeeds  in  spite  of  itself 
where  performance  counts,  in  the  server 
farm,  and  in  dedicated  platforms  like  POP 
registers,  and  the  Android  devices. 

Thomas  Honles  SE  PE 

©  IN  FIVE  YEARS,  I  think  you’ll  be 
hard-pressed  to  find  any  desktop  around 
“standard”  companies.  I  believe  in  five 
years  time,  most  staff  in  companies  will 
be  using  tablet-like  devices  with  apps 
connected  to  clouds. 

Desktops  are  finished  and  so  is 
Windows  (thanks  to  its  flop  on  handheld 
devices)  and  very  few  people  are  sad. 

QskarLimka 

©  IF  YOU  DON'T  want  to  use  GNU/Linux, 
don’t  use  it.  Also,  who  cares  if  the  general 
public  uses  it  or  not? 

Linux  is  self-sustaining. 

There  are  companies 
that  make  enviable 
incomes  maintain¬ 
ing,  supporting,  and 
extending  it.  Young 
computer  scientists  cut 
their  teeth  developing 
it.  Plenty  of  people 
use  it,  as  do  plenty  of 
companies. 

This  is  a  dead  contro¬ 
versy.  The  year  of  the 
Linux  desktop  came 
and  went  without  any¬ 
one  noticing.  It’s  hard 
to  say  when  it  even  was, 
actually,  but  it  is  in  the  fog  of  the  past. 

hhemken 

©  LINUX  FAILS  ON  the  desktop  for  three 
reasons. 

1)  Hardware  compatibility.  Newest 
Debian  didn’t  pick  up  my  monitor;  no  way 
new  users  want  to  run  xrandr  and  deal 


with  custom  modelines. 

2)  Shine  and  polish.  Most  of  it’s  too 
2D/1980s/flat  graphically.  I’m  talking 
buttons,  icons,  window  borders.  The 
whole  OS  feels  more  immature. 

3)  Gaming.  Sorry,  but  games  drive 
newer  machines.  Games  drive  the 
upgrade  route  for  hardware  (thus,  new 
installations). 

I  run  a  number  of  Linux-based  servers 
and  they’re  great,  but  more  and  more 
I’m  finding  that,  for  me:  a)  Windows  for 
games;  b)  Linux  for  servers;  c)  Mac  for 
everything  else,  including  development. 

Mike  Oxford 

Embracing  'enterprise  technology' 

©AN  INTERESTING  READ  from  an 
author  who  possesses  an  impressive  C  V. 
The  difficulty  I  have  with  the  content 
is  the  portrayal  of  “change”  as  a  series 
ofout-with-the-old-in-with-the-new 
disruptions  (Re:  “From  IT  to  ET:  Cloud, 
consumerization,  and  the  next  wave  of  IT 
transformation”;  tinyurl.com/7eak568). 

There  is  much  “old”  still  in  use.  Many 
of  the  organizations  for  whom  I’ve 
worked  had  “mainframes”  in  use  that 
ran  batch  jobs  at  night  while  during  the 
day  allowing  real-time  updates  of  data 
by  “knowledge  workers.” 

What  I  have  seen,  and  it  is  a  problem, 
is  the  too  frequent 
adoption  of  a  new  wizz- 
bang-it-will-fix-every- 
thing-that-is-wrong 
tool  or  technology  that 
has  not  been  evalu¬ 
ated  for  how  well  it 
will  integrate  with  the 
existing  technology. 
Furthermore,  until 
and  unless  the  users  of 
these  wonder-tools  are 
fully  trained,  the  full 
potential  is  unrealized. 

RMichaelSmall 

©THANK  YOU.  LIKE  the 

mirror  of  Galadriel,  the 
article  provides  a  very  insightful  look  at 
what  was,  what  is,  and  what  may  come  to 
pass  in  the  world  of  business  technology. 
Anybody  who  is  already  savvy  enough 
not  to  feel  better  informed  after  reading 
this  will  at  least  feel  provoked  into  a  high- 
quality  debate. 

Andrew  Bergin 


This  is  a  dead 
controversy. 

The  year  of  the 
Linux  desktop 
came  and  went 
without  anyone 
noticing. 
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CenturyLink  s  managed  services  make  updating 
or  managing  your  network  or  equipment  hassle-free. 

With  CenturyLink  you'll  find  an  honest  and  fair  global  communications  partner  providing  IT  solutions  created 
to  drive  long-term  growth.  In  fact,  our  recent  acquisition  of  Savvis  is  just  one  more  example  of  the  level  of  01 
commitment  to  meeting  our  customers'  needs  and  enabling  corporate-wide  innovation.  Comforting,  isn't  it? 


Data  Voice  |  Managed  Services  Cloud 

centurylink.com/business 


^  CenturyLink 
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Where  the  Google 
Apps  roam 

AFTER  SEVERAL  YEARS  and  court  battles,  the  U.S. 
Department  of  the  Interior  has  picked  Google  Apps  to  provide 
cloud-based  email  and  collaboration  applications  to  about 
90,000  staffers,  choosing  Google’s  services  over  Microsoft’s 
Office  365.  Google  had  sued  the  U.S.  agency  in  2010,  claim¬ 
ing  its  requirements  for  the  contract  tilted  the  scales  unfairly 
toward  Microsoft.  Google  eventually  dropped  its  lawsuit  last 
September.  The  contract  is  worth  about  $35  million  over  seven 
years,  the  Interior  Department  said.  By  replacing  its  current 
systems  with  Google  Apps  for  Government,  the  agency  expects 
to  save  up  to  $500  million  by  2020.  tinyurl.com/cqcuaby 
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Harvard,  MIT 
without  the  ivy 

AN  ONLINE  education  orga¬ 
nization  backed  and  funded  by 
MIT  and  Harvard  University 
will  offer  free  Web-based  course 
work.  Admission  will  be  open  to 
anyone  in  the  world  and  classes 
will  start  in  the  fall.  Called  edX, 
the  nonprofit  organization  will 
initially  offer  Harvard  and 
MIT  courses  and,  over  time, 
incorporate  material  from  other 
universities.  If  you’re  hoping  to 
earn  a  Harvard  or  MIT  degree, 
edX  isn’t  the  way.  Achieve¬ 
ment  in  edX  courses  may  earn 
a  certificate  of  completion,  but 


it  will  not  have  either  MIT  or 
Harvard’s  name  on  it.  Together 
the  schools  are  investing  $60 
million  in  the  effort,  tinyurl. 
com/8yq33vu 

VMware's  take  on 
Google  Drive,  but 
with  IT  controls 

VMWARE  IS  offeringa 
private-cloud  based  platform 
for  document  sharing  and 
device  syncing  that  could  rival 
Dropbox,  Google  Drive  and 
Microsoft  SkyDrive  but  give 
companies  more  control  over 
their  data.  The  product,  called 
Project  Octopus  Beta,  gives 
users  access  to  documents  via 
a  native  client  or  a  Web  client, 
and  lets  IT  control  provision¬ 
ing,  authentication  and  where 
data  is  stored.  For  example,  IT 
departments  can  dictate  what 
versions  are  kept,  whether 
they  are  stored  on  fast  or  slow 


storage,  and  what  authentica¬ 
tion  methods  are  used  to  gain 
access.  In  addition,  Octopus 
places  control  of  the  syncing  ^ 
within  the  corporate  firewall  ,  * 
on  gear  that’s  privately  owned.  £ 
tinyurl.com/cu2yns6 

*  \ 
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IE  hangs  on  to 
its  50%  share 

MICROSOFT’S  INTERNET 

Explorer  gained  usage  share 
(for  the  third  time  this  year)  to 
stay  above  the  50%  mark  and 
remain  the  world’s  top  browser, 
according  to  Web  analytics  firm 
Net  Applications.  IE  gained 
three-tenths  of  a  percentage 
point  to  average  54.1%  in  April. 
Since  Jan.  1,  IE  has  increased  its 
usage  share  by  2.2  points  for  a 
4%  gain  since  the  end  of  2011. 

The  turnaround  has  been  IE’s 
largest  and  longest  since  the 
browser  began  shedding  share 
years  ago  to  Firefox,  then  later, 
Google’s  Chrome.  Chrome  was 
the  only  browser  besides  IE  to 
post  positive  numbers  for  the 
month,  growing  by  three-tenths 
of  a  point  to  18.9%  and  ending 
that  browser’s  three-month 
decline.  Mozilla’s  Firefox  and 
Apple’s  Safari  both  lost  share 
-  four-tenths  and  three-tenths 
of  a  point,  respectively  -  to  end 
April  at  20.2%  and  4.8%.  The 
Norwegian  browser  Opera 
remained  flat  at  1.6%.  tinyurl. 
com/csvj426 

Can  Watson 
cure  Cancer? 

IBM’S  JEOPARDYI-PLAYING 

supercomputer  handily 
defeated  two  of 
the  game  show’s 
strongest  contes¬ 
tants,  but  can  it 
beat  cancer?  The 
nation’s  biggest 
health  insurer 
aims  to  find  out. 
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IT  VIDEO 

Steve  Jobs 
channels  FDR 

In  1984,  Apple  made  a 
World  War  ll-themed  video 
to  inspire  its  international 
sales  force,  and  Steve  Jobs 
appeared  as  FDR. 
tinyurl.com/cdq6gxt 
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Watson’s  ability  to  answer  ques¬ 
tions  posed  in  natural  language 
makes  it  a  logical  match  for 
data-driven  industries,  says 
WellPoint  CIO  Andrew  Lang. 
“We’re  dealing  with  a  lot  of 
unstructured  data  —  from 
medical  evidence  to  patient 
information—  and  that’s  where 
Watson  excels.”  The  first  pilot, 
launched  in  December,  involves 
eight  WellPoint  nurses  using 
Watson-based  systems  to 
respond  to  physician  proce¬ 
dure  requests.  The  second 
pilot,  launched  this  year  with 
Cedars-Sinai  hospital,  tests 
Watson’s  ability  to  suggest 
treatment  plans  to  oncologists. 
The  pilot  will  start  with  breast 
cancer  and  have  Watson  parse 
medical  literature,  population 
data,  and  individual  health 
records  to  deliver  probability- 
based  treatment  options 
for  doctors  to  evaluate.  It’s 
expected  Watson  will  get  better 
at  evaluating  and  suggest¬ 
ing  treatment  plans,  tinyurl. 
com/8xafaj8 

Red  Hat  releases 
PaaS  source  code 

RED  HAT  has  released  the  source 
code  for  its  OpenShift  Platform- 
as-a-Service  (PaaS)  offering, 
enabling  developers  to  run  the 
platform  on  multiple  cloud 
fabrics,  including  OpenStack. 
Red  Hat  first  launched  Open- 
Shift  a  year  ago  as  an  alternative 
to  VMware’s  Cloud  Foundry, 
and  until  now,  it  has  only 
been  available  as  a  service  on 
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GO  DADDY  DNS  ANSWERS  10  BILLION 
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We  take  your  site's  availability  seriously. 
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We  take  your  data  needs  seriously. 
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We  take  your  visitors  seriously. 


GO  DADDY  BLOCKS  2.5  MILLION 

ATTACKS  TO  OUR  HOSTED  SERVERS  EVERY  HOUR 

Our  world-class  Security  Operations  Center 
takes  security  seriously,  24/7. 


Serious  about  tech?  So  are  we. 

Call  480.463.8272  to  learn  more  or  visit  tech.godaddy.com 


JoeyBra:  The  new 
iPhone  hideout 


A  PAIR  of  University  of  Washington  students  have 
begun  promoting  a  bra  they  say  can  discreetly  and 
comfortably  be  used  to  store  iPhones,  iPods,  credit 
cards  and  more  for  women  not  carrying  purses 
and  who  don’t  want  to  ask  a  companion  to  store 
the  stuff  in  their  pants  pockets.  JoeyBra  (yes, 
the  name  comes  from  kangaroo  moms  carrying 
baby  joeys  in  their  pouch)  has  stretchy  pockets 
built  in  on  each  side  under  the  arm  to  store  an  item. 

Skype  a  little  too  revealing? 

SKYPE  SAID  it  is  investigating  a  new  tool  that  col¬ 
lects  a  person’s  last  known  IP  address,  a  potential 
privacy-compromising  issue.  Instructions  posted 
on  Pastebin  explained  how  a  person’s  IP  address 
could  be  shown  without  adding  the  targeted 
hTiH  user  as  a  contact  by  looking  at  the  person's  gen- 
iKlr  eral  information  and  loS  f'les'  Skype,  which  is 
owned  by  Microsoft,  said  in  an  e-mail  statement 
that  “this  is  an  ongoing,  industry-wide  issue  faced  by 
all  peer-to-peer  software  companies.  We  are  commit¬ 
ted  to  the  safety  and  security  of  our  customers  and 
we  are  taking  measures  to  help  protect  them." 

RIM  wakes  up  to  bad 
marketing  idea 

WHILE  WE’RE  sure  nobody  at 
Research  in  Motion  thought  a 
host  of  black-clad  protesters 
shouting  “wake  up!"  outside  an 
Australian  Apple  Store  would 
turn  the  company  around,  they  probably  didn’t 
think  it  could  backfire  as  did.  The  stunt  was  initially 
ascribed  to  Samsung,  which  is  planning  to  release  a 
new  Galaxy  smartphone—  until  an  Aussie  Mac  blog 
noticed  that  some  code  on  the  “countdown"  page 
advertised  by  the  “wake  up"  campaign  may  have 
come  from  RIM.  RIM  had  to  then  say,  “urn, 
actually,  it  was  us."  This  undercuts  the  point  of 
“guerrilla”  marketing,  just  as  RIM  was  gearing 
up  to  promote  its  BlackBerry  10  OS. 


The  best  government 
money  can  buy 

AT&T  SPENT  nearly  $7.1  million  on  lobbying  the  U.S.  Con¬ 
gress  and  President  Barack  Obama’s  administration  in  the 
first  quarter  of  2012,  making  it  the  leading  corporate  spender 
on  lobbying,  with  Google,  Comcast  and  Verizon  Commu¬ 
nications  also  making  the  top  five.  Google,  facing  antitrust 
scrutiny  in  Washington,  D.C.,  spent  more  than  $5  million 
on  lobbying  in  the  quarter,  trailing  only  AT&T  and  General 
Electric.  Ranking  No.  4  was  Comcast,  at  $4.6  million.  Verizon 
was  No.  5,  at  $4.5  million,  spending  more  than  pharmaceuti¬ 
cal  powerhouse  Merck,  at  just  under  $4.5  million,  oil  giant 
Exxon  Mobile,  at  $4.2  million,  and  major  government  con¬ 
tractors  Boeing,  Northrop  Grumman  and  Lockheed  Martin. 
Lobbying  expenses  include  salaries  of  lobbyists,  media  cam¬ 
paigns,  research  and  other  spending  focused  on  influencing 
the  outcome  of  legislation,  tinyurl.com/c7bld42 
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Amazon’s  EC2  compute  cloud. 
With  the  release  of  the  source 
code,  developers  can  now  run 
OpenShift  on  their  laptops,  a 
server  behind  their  firewall,  or 
in  their  own  data  center.  They 
can  also  integrate  their  own 
middleware,  write  their  own 
applications  and  build  their 
own  cloud  stack  using  an  open 
source  infrastructure-as-a- 
service  (IaaS)  codebase.  “The 
cloud  in  general,  and  IaaS  and 
PaaS  implementations  specifi¬ 
cally,  should  not  be  vehicles  that 
promote  vendor  lock-in,  nor 
should  they  be  under  the  con¬ 
trol  or  ‘guidance’  of  vendors,” 
said  Red  Hat’s  senior  consulting 
software  engineer  Jim  Jagielski 
in  a  blog  post.  “For  the  cloud 
to  remain  open  and  vibrant, 
implementations  should  be 


truly  open,  not  only  in  license, 
but  in  governance.”  tinyurl. 

com/cs2bds8 

HP  ousts  Apple 
from  top  "PC"  slot 

APPLE  LOST  its  position  as  the 
No.l  manufacturer  of  personal 
computers  in  the  first  quarter  of 
this  year,  according  to  Canalyst 
research,  which  counts  tablets 
as  personal  computers.  In  the 
last  quarter  of  2011,  sales  of  the 
iPad  had  bumped  Apple  into  the 
top  slot,  but  in  the  first  quarter 
of  2012  HP  sold  40,000  more 
PCs  than  Apple’s  15.8  million 
total  units  (4  million  of  which 
were  Macs  and  11.8  million  of 
which  were  iPads),  tinyurl.com/ 
cklslkc 
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I.  T.  WORKS  BETTER  TOGETHER 


With  HP  Converged  Infrastructure  solutions  powered  by  Intel1  Xeonp  processors,  you  can 
spend  over  70%  of  your  time  and  IT  budget  on  innovation  rather  than  maintenance.* 


HP  Converged  Infrastructure  integrates  servers,  storage,  networking,  security, 
and  management  software  into  turnkey  systems  that  accelerate  IT,  reduce 
application  provisioning  time  by  75%,  and  get  you  ready  for  the  cloud.* 

convergedinfrastructure.com 


Substantiation  HP  white  paper,  Measuring  the  Business  Value  of  Converged  Infrastructure  in  the  Data  Center,  October  2011  ; 

£.  Copyright  2012  Hewlett-Packard  Development  Company,  L.P.  The  information  contained  herein  is  subject  to  change  without  notice.  ; 
Intel,  the  Intel  logo,  Xeon,  and  Xeon  Inside  are  trademarks  or  registered  trademarks  of  Intel  Corporation  in  the  U.S.  and/or  other  countries. 
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Zynga  infrastructure  CTO:  Making  hardware  cool  again 


Man  Leinwand  is  an  infrastructure  guy.  He’s  CTO  for 
infrastructure  at  Zynga,  which  during  the  past  few  years 
has  built  the  zCloud,  which  powers  some  of  the  most  popu¬ 
lar  social  games  today  It  works  by  combining  the  capacity 
of  Amazon  Web  Service’s  public  cloud  with  the  company’s 
I  custom-built  private  cloud.  In  talking  with  Network 
I  World  Staff  Writer  Brandon  Butler,  Leinwand  says  Zynga’s 
evolution  from  relying  on  the  public  cloud  to  building  a  custom-made  hybrid 
cloud,  is  one  he  hopes  other  enterprises  can  learn  from.  Leinwand  is  also 
excited  because  finally  he  says,  infrastructure  is  cool  again.  During  the  dot¬ 
com  bubble  all  the  talk  was  all  about  the  Web,  networking  and  storage.  Now, 
with  the  increasing  popularity  of  the  cloud,  infrastructure  is  once  again  front 
and  center.  This  year  Leinwand  will  be  one  of  the  keynote  speakers  at  Interop 
where  he  will  discuss  zCloud’s  evolution  and  the  state  of  cloud  computing. 


Isn’t  the  idea  of  a  public  cloud  about 
outsourcing  infrastructure,  and  getting 
it  off  the  minds  of  IT  executives? 


There’s  a  perception  that  public  clouds  will 
lead  to  the  outsourcing  of  infrastructure 
and  IT.  But  I  actually  think  a  hybrid  model, 
which  means  owning  the  base  infrastruc¬ 
ture  and  renting  the  spike  capacity,  is  really 
the  mantra  of  the  future.  A  hybrid  model 
that  uses  both  a  public  and  a  private  cloud 
is  really  the  way  most  enterprises  will  build 
their  clouds. 

When  I  think  of  cloud,  I  think  of  a  hybrid 
cloud  environment  where  you  have  infra¬ 
structure  that  is  owned  and  maintained  by  the 
user  and  is  optimized  for  your  business.  Then 
there  is  a  public  cloud  component, 
which  is  a  more  generic,  homog¬ 
enous  infrastructure  that  you 
can  tap  into  and  scale  with. 
Using  those  two  in  unison 
is  really  going  to  be  the 
model  going  forward. 

One  concern  a  lot  of 
enterprises  might 
have  in  building  a 
hybrid  cloud  model 
is  the  interoperability 
between  the  public  and 
private  clouds.  How  did 
you  approach  that  issue 
when  building  zCloud? 
When  we  built  zCloud  hybrid 
we  made  sure  that  we  had 
compute  that  could 
move  seamlessly 
between  the 
felt  public  and 

the  private 


clouds.  That  meant  having  common  hypervi¬ 
sor  equipment  in  the  public  and  the  private 
clouds.  We  made  virtual  machine  images  that 
could  be  used  on  both  the  public  and  the  pri¬ 
vate  cloud  and  we  spent  time  working  with 
vendors  making  sure  that  workloads  could 
be  moved  from  the  public  to  the  private  clouds 
using  a  single  dashboard.  We  knew  that  if  we 
used  a  model  that  people  hadn’t  seen  before,  it 
would  be  hard.  So,  we  made  the  private  portion 
of  zCloud  look  and  feel  exactly  like  the  public 
cloud.  We  don’t  differentiate  between  the  pub¬ 
lic  and  the  private  clouds  in  terms  of  how  we 
orchestrate,  automate  and  deploy. 

Why  wasn’t  just  using  a  public  cloud 
right  for  Zynga? 

Our  goal  with  zCloud  is  to  power  games  that 
are  social,  acceptable  and  fun.  On  the  accessi¬ 
bility  side,  we  wanted  to  make  sure  our  games 
are  available  anywhere  on  any  device,  so  we 
wanted  control  over  our  infrastructure  to  do 
that.  We  also  wanted  to  be  able  to  scale  flexible 
infrastructure  in  an  incredibly  fast  way  that 
was  tuned  for  our  business.  And  we  wanted 
to  have  a  little  bit  more  control  over  the  infra¬ 
structure  itself  so  we  could  match  it  to  the 
exact  needs  of  the  business.  We  wanted  to  be 
able  to  tweak  memory  and  hardware  configu¬ 
rations  to  optimize  performance  for  our  needs. 
When  we  did  that  we  got  a  very  nice  bump  in 
performance.  And  finally,  we  made  sure  that 
we  have  multiple  layers  of  redundancy  up  and 
down  the  chain.  That  means  redundancy  at 
the  server  level,  the  power  level,  the  network 
level  as  well  as  storage  and  DNS  all  having 
redundancy. 

This  is  not  to  say  that  we  don’t  like  the  pub¬ 
lic  cloud.  We  still  use  the  public  cloud.  But  I 
call  Amazon  a  four-door  sedan,  and  I  use  that 


term  in  the  nicest  way.  It’s  a  generic  car  that  is 
a  useful  utility  for  a  number  of  functions.  But 
for  zCloud,  we  really  wanted  a  car  that  was 
built  for  driving  social  games.  So,  we  spent  a 
lot  of  time  monitoring  game  codes  and  tuning 
our  system  for  the  workloads  we  actually  had. 
We  found  that  we  got  a  66%  reduction  in  serv¬ 
ers  when  we  ran  some  functions  in  the  private 
cloud.  In  some  cases,  for  every  three  servers  it 
took  to  run  an  application  in  the  public  cloud, 
we  did  with  one  in  the  private  cloud.  That’s 
not  because  Amazon’s  servers  are  worse  than 
ours,  we  just  built  our  servers,  our  networks, 
storage  and  compute  infrastructure  in  a  way 
that  really  matches  how  social  games  work. 
We  really  took  a  deep  look  at  how  our  applica¬ 
tions  were  running  and  built  our  cloud  to  those 
needs.  That’s  one  of  the  lessons  I  hope  to  share 
at  Interop:  Really  know  your  applications,  then 
you’ll  be  able  to  learn  what  infrastructure  is 
best  suited  for  [them]. 

How  do  you  make  the  determination 
of  which  applications  run  in  the  public 
cloud  and  which  run  in  the  private? 

Well  it  comes  down  to  knowing  your  appli¬ 
cations  and  their  workloads.  If  you  have  a 
particular  demand  for  CPU,  storage  and  net¬ 
work,  the  public  cloud  in  many  ways  can  sat¬ 
isfy  those  needs.  There  are  some  things  that 
run  just  fine  in  the  public  cloud.  If  you  build 
infrastructure  with  particular  performances 
in  mind,  it’s  easier  to  do  that  in  a  private  cloud 
and  use  the  public  cloud  as  an  extension  of  the 
private  cloud. 

When  you  took  a  deep  look  into  how 
your  applications  ran,  what  did  you 
learn  and  how  did  that  influence  the 
infrastructure  that  you  built? 

One  thing  that’s  interesting  about  Zynga  is 
that  the  games  are  software  stacks,  but  those 
stacks  also  consume  lots  of  services  that  are 
common  among  multiple  games.  So,  for  exam¬ 
ple,  we  have  services  that  post  events  out  to 
the  social  networks,  and  we  have  services  that 
help  you  make  payments,  while  others  track 
leaderboards  and  do  analytics.  By  watching 
those  communication  flows  and  understand¬ 
ing  which  services  use  local  caches  and  which 
need  access  to  a  disc,  we  were  able  to  build 
zCloud  with  all  that  in  mind.  People  often  ask 
me:  “Allan,  you  were  able  to  save  66%  of  your 
servers,  what’s  the  silver  bullet?”  Well,  there 
was  no  silver  bullet.  It  was  a  lot  of  little  things 
that  came  together  from  studying  our  opera¬ 
tions  that  manifested  itself  into  a  very  nice 
configuration  that  we  now  call  zCloud. 


TO  SEE  EVERYTHING  GOING  ON  AT  INTEROP,  HEAD  ONLINE  FOR  BREAKING  NEWS  COVERAGE.  TINYURL.COM/7MC7LC9 
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►  Interop ,  from  page  1 

IBM  will  demo  a  high-per¬ 
formance  SDN  using  Open- 
Flow,  which  is  a  protocol  and 
API  that  enables  SDN.  IBM 
will  also  be  part  of  the  Interop  OpenFlow 
Lab  which  will  include  Broadcom,  Brocade, 
Extreme,  HP,  NEC  and  others  showing  off  the 
SDN  technology. 

Hailed  by  proponents  as  the 
biggest  transformation  of  net¬ 
working  in  decades,  SDN  prom¬ 
ises  to  make  the  physical  infra¬ 
structure  irrelevant  to  the  actual 
behavior  of  the  traffic  by  enabling 
software  programmability  of 
flows  and  additional  features. 

Another  big  player  to  watch 
in  the  evolving  SDN  market  is 
Cisco,  whose  hardware  and  soft¬ 
ware  is  omnipresent  in  enter¬ 
prise,  data  center  and  service 
provider  networks.  Cisco  CTO 
Padmasree  Warrior  kicks  off 
Tuesday  morning’s  Expo  with  a 
keynote  address,  and  while  her 
speech  is  slated  to  discuss  three 
macro  industry  trends  —  mobil¬ 
ity,  cloud  and  video  —  Cisco  has 
been  working  in  recent  months 
on  its  programmability  strategy, 
as  it  calls  its  response  to  SDN. 

At  the  company’s  recent  busi¬ 
ness  partner  conference  in  April, 

Cisco  CEO  John  Chambers  con¬ 
firmed  that  the  company  is  fund¬ 
ing  and  plans  to  absorb  Insieme, 
a  startup  developing  an  SDN 
system. 

At  the  conference.  Warrior 
told  Network  World,  “Clearly  we 
understand  the  implication  of 
what  is  good  about  [SDN]  and 
what  are  the  things  we  need  to 
improve,”  Warrior  said. 

From  that  conference  Network 
World’s  Jim  Duffy  wrote:  “The 
single  most  visible  aspect  of  Cis¬ 
co’s  programmability  strategy  — 
the  company  seems  careful  not 
to  label  it  as  an  SDN  initiative  — 
is  Insieme,  the  Cisco-funded  startup  building 
what  is  believed  to  be  a  programmable  switch 
line  supporting  OpenStack  and  distributed 
data  storage.  Cisco  initially  invested  $100 
million  in  Insieme,  with  the  right  to  purchase 
the  remaining  interests  of  the  company  for  up 
to  $750  million.” 

Interop  also  features  a  number  of  sessions 
focused  on  SDN,  including  a  Monday  after¬ 
noon  workshop  titled  “How  will  software 
defined  networks  and  OpenFlow  impact 


enterprise  networks?”  and  on  Wednesday  at 
2  p.m.  the  session  “OpenFlow  and  software 
defined  networks:  What  are  they  and  why 
do  you  care?”  will  be  held.  Also,  cloud  net¬ 
working  company  Lyatiss  will  demonstrate 
Cloud  Weaver,  which  is  an  SDN-based  offering 
that  supports  scalable  connections  to  cloud 
applications. 


Beyond  SDN,  another  major  area  of  discus¬ 
sion  among  the  keynote  speakers  is  expected 
to  be  cloud  computing.  Speaking  during 
Tuesday  morning’s  keynote  is  Allan  Lein- 
wand,  CTO  for  Infrastructure  at  Zynga,  which 
during  the  past  few  years  has  migrated  away 
from  using  market-leading  public  cloud  pro¬ 
vider  Amazon  Web  Services  and  has  instead 
built  zCloud,  which  powers  the  online  games 
the  company  makes  (see  interview,  page 
12).  Leinwand  says  this  hybrid  approach  of 


using  on-site  virtualized  hardware  for  the 
base-level  needs  of  an  enterprise,  and  using  a 
public  cloud  as  a  way  to  scale  for  unexpected 
spikes  in  IT  needs,  is  the  approach  he  believes 
will  dominate  into  the  future.  Other  keynotes 
on  Tuesday  include  leading  executives  from 
Avaya,  Dell  and  Google. 

On  Wednesday,  Steve  Herrod,  CTO  and 
senior  vice  president  for  R&D  at 
VMware,  will  keynote  the  morn¬ 
ing  session,  along  with  a  panel 
discussion  from  leading  cloud 
thinkers  including  John  Engates, 
CTO  of  Rackspace,  and  Ellen 
Rubin,  vice  president  of  cloud 
products  for  Terremark,  a  Veri¬ 
zon  company.  Mobile  computing 
is  set  to  be  a  hot  topic  throughout 
the  show  as  14  sessions  during 
the  three  days  of  conferences  are 
dedicated  to  the  topic  —  the  most 
of  the  nine  conference  tracks. 

For  the  early  birds  getting  to 
the  show,  Sunday  and  Monday, 
May  6  and  7,  will  feature  two- 
day  sessions  on  enterprise  cloud 
computing  and  principles  of 
effective  IT  management.  Secu¬ 
rity  is  the  second  hottest  topic  at 
the  show,  while  topics  such  as 
IPv6,  social  media  in  the  enter¬ 
prise  and  desktop  virtualization 
are  also  on  the  docket. 

Meanwhile,  organizers  have 
spent  the  past  few  weeks  put¬ 
ting  the  finishing  touches  on  the 
event,  including  setting  up  the 
network  that  will  power  Internet 
connectivity  at  the  show. 

“InteropNet  is  probably  the 
world’s  largest  temporary  net¬ 
work,”  says  Steve  Shalita,  vice 
president  of  marketing  for 
NetScout,  which  is  one  of  more 
than  a  dozen  companies  lend¬ 
ing  support  for  InteropNet,  the 
engine  that  powers  the  high¬ 
speed  network  for  exhibitors 
and  conference  attendees. 

CenturyLink,  which  is  pro¬ 
viding  the  bandwidth,  uses 
dedicated  data  centers  to  supply  Internet  con¬ 
nectivity,  which  it  then  delivers  to  the  venue 
via  private-line  Ethernet,  says  Senior  Product 
Manager  Michael  McAfee.  “We  have  the  data 
center  services,  we  have  9GB  of  Internet  con¬ 
nectivity  out  of  those  data  centers,”  he  says. 
Two-thirds  of  the  bandwidth  provided  is  IPv4 
while  the  remainder  is  IPv6.  ■ 

Network  World’s  Jim  Duffy  and  Jon  Gold 
contributed  to  this  report. 
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According  to  NSS  Labs,  the  global  leader  in  independent 
security  product  testing,  “For  high-end  multi-gigabit 
environments  looking  to  upgrade  defenses  from  their 
current  firewall  to  a  next-generation  firewall,  the  advanced 
architecture  of  the  SonicWALL®  SuperMassive™  El  0800 
running  SonicOS  6.0  provides  an  extremely  high  level  of 
protection  and  performance.”  Visit  sonicwall.com/nss 
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Clean  bill  of  health  for  e-medical  records 


With  the  U.S.  Supreme  Court 

now  debating  the  fate  of  the  so- 
called  “Obamacare”  legislation 
passed  in  2010,  healthcare  has 
been  much  in  the  news  of  late  — 
and  not  much  of  the  news  about 
healthcare  is  very  good.  That  is, 
unless  you’re  talking  to  Philip  Fasano,  executive  vice 
president  and  CIO  of  Kaiser  Permanente,  the  giant 
Oakland,  Calif. -based  integrated  health  system.  Fasano,  whose  IT  orga¬ 
nization  has  delivered  on  a  multibillion-dollar  electronic  medical  records 
initiative,  believes  that  healthcare’s  greatest  days  are  ahead  thanks  to  the 
rapid  infusion  of  technology.  In  fact,  Fasano  thinks  —  dare  we  say  it  —  that 
your  healthcare  provider  should  be  in  the  business  of  delighting  you. 

In  this  latest  installment  of  our  CIO  Interview  Series,  Fasano  spoke  with  IDG  Enterprise 
Chief  Content  Officer  John  Gallant  about  how  the  electronic  records  “bet”  has  paid  off  for  Kai¬ 
ser  Permanente  and  its  roughly  9  million  customers  and  patients,  and  how  social  and  mobile 
technologies  will  advance  the  effort.  He  offers  hard-won  advice  on  making  big  tech  projects 
successful  and  talks  about  what  it  means  for  CIOs  to  be  the  “CEO”  of  their  organizations.  (See 
tinyurl.com/79j2xr6  for  a  full  version  of  this  interview.) 


I  want  to  give  readers  a  clear 
understanding  of  the  size  and  scope  of 
Kaiser  Permanente,  so  that  people  have 
a  sense  of  just  how  big  a  responsibility  IT 
has  not  only  in  supporting  the  company 
but  also  helping  to  drive  innovation. 

I’ll  give  you  that  perspective  from  a  couple 
of  points.  We’re  approximately  a  $50  billion 
by  revenue  institution,  so  if  we  were  a  public 
company  we’d  probably  be  in  the  Fortune  50. 
We’re  not  a  public  company.  We’re  not-for- 
profit  and  have  a  particular  mission  around 
that.  The  organization  covers  all  aspects  of 
the  healthcare  industry.  We’re  larger  than 
the  health  systems  of  140  countries.  So  if  you 
think  of  us  as  a  country  health  system,  we 
have  primary  care  physicians,  we  have  spe¬ 
cialists  and  specialties,  we  have  all  the  facili¬ 
ties  that  would  be  necessary  to  operate  such  a 
system,  including  medical  buildings  that  are 
quite  comprehensive.  We  have  hospitals,  36 
of  them  across  the  program,  mostly  in  Cali¬ 
fornia  and  the  northwest  part  of  the  United 
States,  as  well  as  out  in  Hawaii. 

Though  we  don’t  operate  in  all  50  states,  we 
do  operate  from  the  mid-Atlantic,  on  the  East 
Coast,  in  Georgia,  all  the  way  out  to  Hawaii. 
We  are  a  very  large  part  of  California  health¬ 
care,  treating  almost  half  the  state’s  popula¬ 
tion.  About  9  million  Americans  get  their 


healthcare  from  Kaiser  Permanente  every 
day,  and  they  certainly  expect  a  lot  of  us  and 
we  expect  a  lot  of  ourselves  in  terms  of  the 
capabilities  and  services  we  have  to  offer 
them.  We’re  also  a  health  insurance  company. 
We’re  a  health  plan,  although  we’re  an  inte¬ 
grated  health  plan.  Our  health  plan  and  our 
care  delivery  organizations  are  integrated  in 
the  sense  that  they  work  very  closely  together 
to  deliver  the  high-quality  care,  as  well  as  the 
products  and  services  people  need  to  ensure 
their  health. 

Our  organization  has  over  200,000  people 
in  it.  Our  IT  organization  has  a  little  less  than 
6,000  employees  as  well  as  additional  sup¬ 
port  people  that  would  actually  bring  that 
number  somewhat  higher,  probably  a  couple 
thousand  higher  than  that.  It’s  a  large  group 
of  people  who  are  focused  on  delivering  what 
we  call  life-critical  systems,  and  having  all 
aspects  of  technology  in  place  to  support  all 
our  care  delivery  operations. 

All  of  the  systems  to  support  our  health 
plan  and  health  insurance  operations  are 
part  of  my  responsibilities,  as  well  as  the 
infrastructure  to  support  a  business  of  deliv¬ 
ering  life-critical  capabilities  to  its  members, 
either  over  the  Internet  when  our  members 
access  our  website  KP.org,  or  via  a  mobile 
phone,  via  mobile  apps,  or  if  it’s  when  they 


come  in  to  see  us  in  our  care  delivery  settings. 
The  technology  supports  every  aspect  of  their 
care  and  every  aspect  of  their  insurance  needs 
on  the  health  plan  side  of  the  business.  Our 
electronic  medical  records  system  is  the  larg¬ 
est  implementation  in  the  private  sector  any¬ 
where  in  the  world. 

I  also  want  to  touch  on  the  scope  of  your 
role  because  you  have  a  unique  set  of 
responsibilities  that  go  well  beyond  just  IT. 

I  am  one  of  three  executive  vice  presidents  at 
Kaiser  Permanente.  My  colleagues  and  I  have 
responsibility  on  what  we  call  a  National  Lead¬ 
ership  Team  and  the  Operational  Leadership 
Group,  which  [oversees]  day-to-day  opera¬ 
tions  of  the  businesses  of  Kaiser  Permanente. 
The  National  Leadership  Team  is  the  equiva¬ 
lent  in  a  public  company  of  an  executive  com¬ 
mittee.  We  work  with  the  CEO  on  everything 
from  strategy  and  strategic  development  of  the 
business,  to  quality  and  service  and  affordabil¬ 
ity  around  all  of  the  programs  we  provide. 

We  work  in  partnership  with  another  lead¬ 
ership  group  we  call  our  Kaiser  Permanente 
Partner  Group,  effectively  the  medical  group 
leaders  and  our  health  plan,  health  hospital 
operations  leaders,  all  partner  together  on 
that  group.  We  go  across  all  of  our  medical 
groups,  all  of  our  care  capabilities,  and  all  of 
our  health  plan  operations,  working  together 
for  the  benefit  of  all  of  our  members.  We  also 
have  an  additional  goal,  and  that’s  to  work 
for  the  benefit  of  the  communities  we  serve, 
because  we  are  not-for-profit  and  our  not-for- 
profit  capabilities  are  quite  significant.  We 
work  with  community  outreach  and  many 
community-based  programs  to  support  peo¬ 
ple  who  have  challenges  getting  healthcare 
access,  due  to  financial  or  other  reasons. 

What  spawned  that  significant  bet 
on  the  medical  records  initiative? 

You  have  talked  about  your  CEO’s 
goal  to  turn  healthcare  on  its 
ear.  What  does  that  mean? 

I  wasn’t  here  when  our  CEO  came  to  the  com¬ 
pany,  but  I’ve  been  here  with  him  for  the  past 
five  years,  and  I  know  that  when  he  came  to 
the  organization  one  of  the  things  that  he 
brought  with  him  was  that  he  understood 
the  value  of  information  technology.  In  fact, 
he  had  implemented,  on  a  smaller  scale,  elec¬ 
tronic  medical  records  in  other  organizations 
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and,  as  a  consequence,  came  with  an  expec¬ 
tation  that  having  those  tools  was  founda¬ 
tional  to  improvements  in  healthcare  quality, 
healthcare  affordability.  And,  frankly,  levels 
of  service  to  patients  and  physicians  that  were 
just  beyond  anything  that  was  occurring 
broadly  in  the  United  States. 

Bringing  that  foundation  with  him,  he 
decided  to  effectively  bet  the  future  of  the 
institution  —  because  of  the  size,  scope  and 
complexity  of  the  project  —  on  implement¬ 
ing  an  electronic  medical  record  system 
end-to-end.  That  meant  in  every  one  of  our 
operations,  effectively  having  every  patient 
in  this  institution  be  on  our  electronic  medi¬ 
cal  record  system  so  that  every  care  provider, 
every  physician,  every  specialist  had  com¬ 
plete  access  to  the  entire  medical  record  every 
time  they  treated  that  patient. 

We  started  to  say  that  patients  should  look  at 
having  an  electronic  medical  record  as  a  right 
not  a  privilege  in  this  country.  In  our  organiza¬ 
tion,  it’s  become  a  right.  Every  patient  at  Kaiser 
Permanente  now  has  that  system.  It  allowed  us 
to  build  on  top  of  many  preventive  care  capa¬ 
bilities,  in  the  form  of  advanced  analytics  that 
look  through  your  medical  record  for  condi¬ 
tions  or  issues  that  could  be  as  simple  as  you 
haven’t  renewed  your  prescription  to  noticing 
that  your  physician  was  attempting  to  pre¬ 
scribe  a  particular  pharmaceutical  that  you 
have  an  allergy  to,  which  gets  noted  to  avoid 
having  that  happen  again  going  forward. 

The  capability  is  extensive,  it’s  widespread, 
and  it’s  very  significant.  He  was  betting  $4 
billion  of  this  company’s  cash  flow  on  the 
future  implementation  of  a  system  that  he 
was  hopeful  we’d  be  able  to  get  done,  but  of 
course,  wasn’t  assured.  I  can  tell  you  the  bet 
has  paid  off  in  an  enormous  way  and  it’s 
given  us  capabilities  that  should  be  expected 
of  every  healthcare  system. 

What  was  the  role  of  the  IT 
organization  in  helping  shape 
and  bring  that  vision  to  life? 

Putting  electronic  medical  record  systems 
into  an  institution  meant  the  IT  organization 
was  going  to  have  a  very  large  percentage  of 
the  responsibility.  What  I  can  tell  you,  though, 
is  that  any  IT  organization  that  believes  they 
can  do  it  alone  is  just  destined  to  fail.  At  Kaiser 
Permanente,  we  did  this  as  a  team.  Our  care 
delivery  leaders  and  our  physicians,  all  of  our 
clinicians  were  deeply  involved  in  the  devel¬ 
opment  of  this  program  and  worked  with  IT 
extraordinarily  closely,  worked  with  our  other 
business  operators  very  closely,  and  as  a  con¬ 
sequence  we  were  able  to  put  together  a  capa¬ 
bility  that  goes  across  the  organization  and  is 
widely  well  received. 

Any  large-scale  implementation  has 
post-implementation  challenges.  People 


start  to  work  with  it  and  find  its  limitations 
pretty  quickly.  If  we  didn’t  have  everyone 
completely  involved  and  participating  very 
actively  —  both  buying  into  and  making  the 
vision  their  own  —  we  would  have  been  very 
challenged  post-implementation.  You  really 
have  to  help  people  train  on  the  system,  learn 
some  new  capabilities  that  they  might  not 
have  known  existed  in  the  system,  so  that 
they  become  not  only  proficient,  but  operate 
at  an  expert  level. 

Physicians  go  from  encounter  to  encoun¬ 
ter  to  encounter  all  day  long,  and  for  them  the 
system  has  to  just  be  easy  to  use  and  simple 
for  them  to  document  into,  or  it  becomes  an 
encumbrance.  In  our  case,  some  of  our  physi¬ 
cians  [would  help]  their  peers  learn  the  path 
forward.  It  was  truly  remarkable  how  each 
person  helped  the  other  become  proficient  in 
this  particular  capability. 

One  of  the  raps  on  IT  departments  is 
how  often  it’s  perceived  that  they  fail 
at  significant  projects.  This  is  about 
as  big  a  project  as  you  can  get.  What 
were  the  secrets  for  success  here? 

I  have  many,  many  other  large  programs 
underway  at  Kaiser  Permanente  currently, 
and  the  fact  of  the  matter  is  with  large  pro¬ 
grams  you’re  going  to  have  some  to  and  fro 
with  project  plans,  timelines  and  cost.  It’s  just 
the  reality.  You  don’t  know  at  the  beginning 
what  you  don’t  know.  But  in  order  to  make 
them  a  success,  you  really  have  to  decide 
early  on  that  it’s  going  to  be  a  strong,  deep 
partnership  with  experts  involved  in  every 
step  of  the  initiative.  Not  only  involved,  but 
full-time  involvement,  which  means  in  many 
cases  they  have  to  give  up  their  day  jobs  and 
focus  on  the  execution  and  implementation  of 
a  transformational  initiative. 

Large  systems  initiatives  are  transforma¬ 
tional  in  nature.  This  certainly  was.  Every¬ 
thing  from  how  you  work  day-to-day,  your 
operational  workflow,  has  to  be  considered 
and  analyzed  and  determined  what  it  will  be 
going  forward  so  you  can  train  for  that,  to  the 
need  to  implement  more  servers  in  the  back 
room  to  support  this  and  making  sure  there’s 
high  availability. 

Something  you  may  not  have  considered 
on  day  one,  but  something  you  have  to  spend 
money  on  day  two,  as  you’ve  implemented 
the  program  and  realized  that  high  availabil¬ 
ity  was  a  dependence  for  this  particular  sys¬ 
tem.  Oftentimes  people  fail  to  see  at  the  onset 
of  the  program  that  they  really  needed  those 
capabilities  and  they  start  to  spend  on  those 
capabilities  once  they  determine  they’re  nec¬ 
essary,  often  without  bringing  forward  the 
additional  business  case,  without  recognition 
at  the  senior-most  levels  that  these  are  strate¬ 
gic  additional  investments  that  are  necessary 


to  operate  the  business  post-implementation. 
When  people  find  out  and  deal  with  the  back 
end,  the  project  is  now  two  times  what  we 
intended  it  to  cost,  the  project  took  one  and 
a  half  times  or  two  times  the  time,  it’s  much 
more  complex  and  very  challenged.  Often, 
very  large  projects  actually  get  canceled  when 
they  start  to  experience  those  difficulties. 

If  you  go  into  a  large  project  as  a  company 
leader  and  don’t  expect  to  spend  more  than 
you’ve  initially  budgeted,  you’re  probably 
not  exhibiting  great  leadership  and  foresight 
in  terms  of  planning.  The  reality  is  you  go 
into  these  projects  knowing  probably  about 
between  30%  and  60%  of  what  you  need  to 
know  and  then  you  find  out  the  rest  of  it  as 
you’re  going  because  large  projects  are  so 
complex  and  things  are  subject  to  change. 

Operating  procedures  that  most  compa¬ 
nies  experience  for  10,  20, 30  years  are  now 
coming  under  substantial  amounts  of  change 
and  pressure,  which  requires  the  entire  com¬ 
pany  to  go  through  a  transformation  that,  in 
many  cases,  they  didn’t  anticipate  the  scale 
and  scope  of.  That’s  why  these  programs 
often  fail.  CFOs  will  pull  the  plug  because 
the  cost  of  them  is  getting  extraordinarily 
high.  But  the  other  reasons  they  tend  to  fail 
is  that  organizations  haven’t  committed  their 
absolute  best  people  to  them,  and  even  when 
they  pick  their  best  people  they  fail  to  recog¬ 
nize  that  those  people  may  not  have  change 
leadership,  transformational  leadership, 
and  the  scale  and  scope  of  an  initiative  like 
this  in  their  background.  It’s  their  first  rodeo, 
therefore  they’re  going  to  go  through  a  learn¬ 
ing  curve.  Learning  this  at  scale  costs  you  a 
lot  of  money. 

What  are  the  tangible  results  of  the 
medical  records  initiative  to  date? 

What  is  it  enabling  the  company 
to  do  that,  had  you  not  made  this 
investment  and  this  transformation, 
you  wouldn’t  be  able  to  do  today? 

Our  medical  group  has  an  extraordinary  pas¬ 
sion  for  being  the  best,  as  measured  by  their 
peers  and  all  the  quality  metrics  out  there. 
They  work  really  hard  to  make  sure  that  this 
organization  both  strives  for  and  achieves  at 
the  best  levels.  This  system  enhanced  their 
ability  to  accomplish  those  goals.  It’s  given 
them  the  information,  the  technology,  the 
additional  analytic  support  to  really  focus 
on  people  with  chronic  conditions,  create 
outcomes  for  those  people  that  are  extraordi¬ 
narily  different  than  the  communities  that  we 
operate  in  and  what  other  physicians  might 
achieve.  Those  outcomes  are  substantially 
better,  sometimes  twice  as  good,  sometimes 
even  more  than  twice  as  good  as  the  com¬ 
munity  can  achieve  without  these  types  of 
capabilities.  ■ 
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Why  Linux  is  a  desktop  flop 


BY  MARIA  KOROLOV 


IT’S  FREE,  easier  to  use  than  ever,  IT  staffers 
know  it  and  love  it,  and  it  has  fewer  viruses 
and  Trojans  than  Windows. 

It’s  already  ubiquitous  on  the  server  side. 
Plus,  there  are  now  alternatives  to  the  most 
popular  software  packages  out  there  —  again, 
for  free  —  and  new  software  releases  often 
have  Web-based  interfaces,  making  operat¬ 
ing  systems  irrelevant. 

So,  why  hasn’t  Linux  on  the  desktop  taken 
off? 

Especially  since  Linux  —  in  the  form  of  the 
Android  operating  system  —  dominates  the 
mobile  market,  with  a  50.9%  market  share  at 
the  end  of  2011,  according  to  Gartner  num¬ 
bers  released  in  February,  up  from  30.5% 
market  share  at  the  end  of  2010. 

On  the  server  side,  Linux  is  also  doing  well, 
especially  with  high-performance  comput¬ 
ing  and  cloud  infrastructure  deployments, 
according  to  IDC,  with  Linux  servers  now 
accounting  for  more  than  18%  of  all  server 
revenues. 

But  on  the  desktop,  Linux’s  numbers 
barely  register.  Gartner  predicts  that  Linux 
penetration  on  the  desktop  will  remain  below 
2%  for  the  next  five  years. 

So,  what’s  the  problem?  It’s  not  just  corpo¬ 
rate  inertia  —  companies  are  quick  to  move 
when  there’s  money  to  be  saved.  But  when  it 
comes  to  desktop  Linux,  the  cost  savings  turn 
out  to  be  problematic,  there  are  management 
issues,  and  compatibility  remains  an  issue. 

Cost 

Let’s  get  the  money  question  out  of  the  way 
first.  Yes,  Linux  is  free,  and  so  is  the  open 
source  software  that  often  comes  with  it  — 
OpenOffice,  the  GIMP  photo  editing  soft¬ 
ware,  the  Thunderbird  email  client. 

But,  as  the  old  saying  goes,  it’s  “free  as  in 
puppy,  not  free  as  in  beer.” 

First,  Windows  itself  isn’t  that  expensive 
when  you  get  it  bundled  in  with  new  desktops 
and  laptops.  The  cost  savings  to  run  Linux  on 
the  same  hardware  is  minor. 

For  example,  the  Dell  Latitude  2120  with 
Windows  7  Home  Premium  is  $494,  while 
a  similarly  loaded  Ubuntu  Latitude  2120  is 
$434  —  a  savings  of  just  $60. 

In  addition,  the  free  versions  of  Linux  are 
only  supported  with  free  fixes  for  about  a 
year,  says  Michael  Silver,  an  analyst  with 
Stamford,  Conn.-based  Gartner. 

“You  have  to  switch  to  the  new  version  of 
Linux  every  year,”  he  says.  “Microsoft  sup¬ 
ports  each  version  of  Windows  for  10  years 


—  I  don’t  have  to  pay  any  more 
money,  and  I  still  get  security 
fixes.  Even  vendors  that  do 
offer  extended  security  fixes 
for  Linux,  like  Novell  or  Red 
Hat,  they’re  going  to  charge 
every  year  for  the  privilege.” 

So  companies  wind  up 
paying  either  for  the  time  it 
takes  to  upgrade  all  the  Linux  machines,  or 
for  the  extended  support.  “The  cost  ends  up 
approaching  Windows  —  if  not  surpassing 
it  —  fairly  quickly,”  Silver  says. 

The  idea  that  Linux  is  free  and  compa¬ 
nies  can  save  a  lot  of  money  by  switching 
is  a  myth,  he  adds,  one  of  many  myths  sur¬ 
rounding  Linux  deployment.  “This  has  been 
a  typical  understanding,  but  a  lot  of  organiza¬ 
tions  that  have  explored  that  have  found  that 
there’s  more  to  it,”  he  says. 

As  a  result,  Gartner  hasn’t  been  seeing 
much  interest  in  switching  to  Linux  on  the 
desktop,  he  says.  “We  get  a  lot  more  ques¬ 
tions  about  switching  to  Macs  than  switching 
to  Linux  at  this  point,  even  though  Macs  are 
more  expensive.” 

There  has  been  more  interest  in  open 
source  software  and  operating  systems  in 
Europe  and  Latin  America,  Silver  says.  “But 
even  that  has  been  tapering  off.” 

Compatibility 

But  the  single  biggest  disadvantage  Linux  has 
on  the  desktop  is  in  applications,  says  Patrick 
Gray,  president  of  business  strategy  consul¬ 
tancy  Prevoyance  Group. 

“Traditionally,  Linux  has  been  a  bit  more 
difficult  to  install,  use  and  manage,  but  much 
of  that  has  been  assuaged  with  variants  like 
Ubuntu,”  he  says.  “But  despite  narrowing  the 
usability  gap,  Linux  still  lacks  many  commer¬ 
cial-grade  applications.” 

Where  substitutes  are  available,  he  adds, 
most  are  not  supported,  or  don’t  have  the  full 
feature  sets  of  the  commercial  variants. 

Plus,  most  professionals  tend  to  be  familiar 
with  the  leading  commercial  software  prod¬ 
ucts  for  the  work  that  they  do  —  the  open 
source  alternatives  may  require  additional 
training,  or  cause  productivity  problems. 

“While  Linux  is  free,  the  cost  of  a  large 
company  to  train  users,  and  support  these 
applications,  will  likely  offset  the  software 
licensing  expense  [of  Windows],”  Gray  says. 

“The  reason  isn’t  security,  usability  or  any 
other  technology  shortcoming,”  confirms 
Mark  Hinkle,  director  of  the  cloud  computing 
community  at  Citrix  Systems.  “The  inhibitor 
for  adoption  is  applications.” 


Under  Linux,  he  says,  users  can  check  their 
email,  browse  the  Web  and  use  an  office  suite. 
“The  problem  is  that  things  like  custom  billing 
apps,  SAP,  desktop  productivity  apps  from 
Adobe  and  industry-specific  apps  are  devel¬ 
oped  solely  for  the  Windows  desktop,”  he  says. 

Many  applications  are  already  moving 
to  a  cloud-based  or  browser-based  delivery 
model,  he  adds.  Those  apps  can  run  on  any 
operating  system  with  a  browser,  or  on  any 
smart  mobile  device.  At  that  point,  companies 
can  start  looking  at  Linux  more  seriously. 

“Until  then,  Linux  adoption  on  the  desktop 
will  be  stifled.” 

According  to  Gartner’s  Silver,  a  typical 
organization  will  have  one  application  for 
every  10  users,  and,  today,  about  half  of  those 
applications  require  the  Windows  operating 
system. 

“That  percentage  has  been  declining,  but 
still,  it’s  pretty  high,”  Silver  says.  “So  if  I  have 
10,000  users,  and  1,000  applications,  500 
of  those  applications  will  need  Windows  to 
run.” 

One  intermediary  solution,  says  Citrix’s 
Hinkle,  is  to  run  a  virtualized  version  of  Win¬ 
dows  on  top  of  Linux,  such  as  with  Citrix  Xen- 
Client  or  VMware,  or  use  remote  desktops 
such  as  Citrix  XenDesktop,  for  those  users 
who  need  specific  Windows  applications. 
“For  example,  the  Google  Chrome  netbooks 
complemented  with  apps  re-displayed  from 
a  Citrix  XenApp  installation  could  be  a  very 
interesting  solution  for  a  number  of  users.” 

Virtual  desktops  can  be  used  to  provide 
access  to  legacy  apps  for  users  of  smart 
mobile  devices,  as  well. 

Making  it  work 

Despite  these  negatives,  there  are  companies 
out  there  using  Linux  on  employee  desktops. 

One,  for  example,  is  a  small  veterinary  clinic, 
the  Chester  County  Cat  Hospital,  located  just 
outside  Philadelphia,  with  10  employees. 

“We  took  over  the  business  last  June  and 
last  July  is  when  I  moved  everything  over  to 
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TREND  ANALYSIS 


Wait,  IS  desktop  Linux  a  flop?  Readers  weigh  in 

While  one  could  be  forgiven  for  expecting  a  flame  war  in  the  comments  on 
an  article  entitled  “Why  Linux  is  a  desktop  flop,”  the  online  discussion  that 
followed  its  publication  was,  in  the  main,  thought-provoking  and  respectful. 
An  extensive  debate  on  Slashdot  was  particularly  enlightening.  One  user  said  the 
opportunity  for  widespread  Linux  adoption  on  the  desktop  had  come  and  gone. 

“The  great  opportunity  for  Linux  on  the  desktop  was  a  decade  ago.  Back  when 
Windows  95  sucked,  Windows  XP  was  late,  and  Windows  2000  cost  several  hun¬ 
dred  dollars.  That’s  when  it  could  have 
happened.  It  didn’t,”  Animats  wrote. 

Several  others  cited  Microsoft  Office 
as  a  key  factor  in  keeping  Linux  desktop 
adoption  low.  Given  the  near-total  domi¬ 
nance  of  that  suite  of  programs  in  the 
productivity  sector,  it's  unlikely  that  any 
user  with  more  than  a  casual  need  for 
Word  or  PowerPoint  will  opt  for  the  open- 
source  alternatives. 

Nevertheless,  others  pointed  out  that 
Linux’s  profile  could  change  radically  overnight.  Citing  the  case  of  guitar  string 
maker  Ernie  Ball  —  which  was  raided  and  audited  by  the  Business  Software  Alli¬ 
ance  in  2000  and  subsequently  switched  to  an  all-open  source  model  in  protest  — 
one  user  said  that  it’s  startlingly  simple  to  transition  a  business  to  Linux. 

“Microsoft  persists  because  their  customers  don’t  have  a  compelling  reason 
to  switch.  But  given  a  reason,  switching  to  Linux  is  no  big  deal.  At  any  point  in 
time,  most  of  the  world  is  6  months  from  Linux,  and  Microsoft  is  6  months  from 
oblivion,”  wrote  swm. 

Two  other  refrains,  however,  were  commonly  heard.  The  first  is  that  Micro¬ 
soft’s  ability  to  offer  a  single,  unified  Windows  desktop  ecosystem  gives  it  a  huge 
advantage  over  Linux,  given  the  fact  that  there  are  hundreds  of  different  distros 
out  there,  all  with  various  upsides  and  downsides.  The  second,  related  point  is 
that  the  development  communities  for  each  of  those  distros  make  up  a  fractious, 
Balkanized  and  often  highly  uncivil  patchwork  of  a  larger  whole. 

Still,  it  may  simply  be  a  lack  of  awareness  holding  Linux  back. 

"Most  people  do  not  know  there  is  an  alternative  to  windows  or  that  it’s  as  good 
as  windows,”  wrote  Citron,  adding,  “Android  is  a  good  example  of  what  can  hap¬ 
pen  when  people  are  exposed  to  an  alternative  OS.  It’s  now  the  number  1  smart 
phone  OS  and  Windows  phone  is  more  or  less  a  flop.” 

—  Jon  Gold 
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Linux,”  says  financial  manager  Paul  Stadler, 
who  bought  the  business  with  his  wife,  the 
clinic’s  veterinarian. 

“Linux  was  my  comfort  zone,  and  I  knew  I 
could  get  it  to  do  what  I  wanted  it  to,”  Stadler 
says. 

He  uses  an  open  source  practice  manage¬ 
ment  software  system,  which  employees 
access  via  a  browser. 

“They  don’t  seem  to  have  noticed  that  it’s  on 
Linux,”  he  says. 

The  previous  owners  used  a  Windows- 
based  practice  management  system,  and 
inactive  patients  weren’t  ported  over  to  the 
new  platform.  Stadler  runs  a  Windows  emu¬ 
lator  if  he  needs  to  pull  it  up,  he  says. 

In  addition,  there  were  some  Office  docu¬ 
ments  and  spreadsheets.  “Libre  Office  handled 
them  seamlessly,”  Stadler  says.  “I  don’t  think 
they  [the  former  owners]  knew  what  a  macro 
was,  so  we  didn’t  have  to  deal  with  that  at  all.” 

Employees  have  been  using  Libre  Office 
without  a  problem,  he  adds,  for  simple  tasks 
such  as  writing  a  letter  to  someone  or  moving 
some  numbers  around  in  an  inventory  track¬ 
ing  spreadsheet. 

“I  would  say  that,  since  July,  they’ve  prob¬ 
ably  come  to  me  three  times  with  a  question 
on  how  to  do  something  in  that  software,” 
he  says.  “The  less  savvy  your  employees  are, 
the  less  it  matters  —  everything  they  do  is 
extremely  simple.” 

Overall,  Stadler  says,  he’s  probably  saved 
around  $10,000  a  year  in  software  costs, 
mostly  as  a  result  of  the  practice  management 
software. 

But  he  adds  that  he  would  have  seen  the 
same  savings  if  he  had  stuck  with  Windows, 
since  all  the  software  can  run  on  that  plat¬ 
form,  as  well. 

Meanwhile,  drivers  have  sometimes  been 
a  hassle,  he  says.  “The  open  source  commu¬ 
nity  packages  them  up  for  you,  but  at  a  pretty 
severe  lag,”  he  says.  “When  I  bought  new 
printers,  I  had  to  download  the  drivers.  I  got 
them  to  work,  but  you  have  to  be  technologi¬ 
cally  literate  to  do  it.  It  was  actually  a  chal¬ 
lenge  to  get  those  drivers  working.” 

Los  Angeles-based  InMotion  Hosting  is 
on  the  opposite  end  of  the  spectrum  from  the 
Chester  County  Cat  Hospital  when  it  comes  to 
the  technical  skills  of  its  employees. 

The  company’s  server  farms  are  Linux- 
based,  and  many  employees  are  comfortable 
working  with  Linux.  As  a  result,  about  25% 
run  Linux  on  their  desktops,  says  CEO  Todd 
Robinson.  Of  the  rest,  65%  use  Windows  and 
the  rest  have  Macs,  he  adds. 

In  addition  to  problems  with  finding  soft¬ 
ware  to  run  on  Linux,  and  training  staffers 
who  have  grown  up  using  Windows  or  Macs, 


Robinson  says  Linux  desktops  also  have  a 
management  problem. 

“It’s  such  a  flexible  environment  that  there’s 
a  lot  of  freedom  to  do  things,  even  things  you 
shouldn’t  do,”  he  says.  “A  typical  thing  in  a 
Windows  setting  is  to  establish  some  usage 
policies,  and  set  up  some  limitations  on  the 
systems  to  keep  them  stable.  Linux  doesn’t 
have  those  types  of  standards  out  of  the  box.” 

Instead,  companies  looking  to  centrally 
manage  Linux  desktops  have  to  create  those 
types  of  policies  and  limitations,  he  says. 
“Windows  is  set  up  that  way.” 

Other  large-scale  examples  of  Linux 
deployments  tend  to  fall  into  one  of  these 
two  extremes.  Either  employees  use  their 


machines  in  very  limited  ways  —  such  as 
bank  tellers,  for  example,  or  store  clerks  —  or 
in  very  sophisticated  ways  where  they  often 
write  their  own  applications  and  need  the 
power  and  control  that  Linux  offers. 

In  the  big  middle  ground,  however,  the 
applications  rule,  and  companies  choose  the 
platforms  that  give  employees  the  software 
they  need  to  do  their  jobs.  That  means  Win¬ 
dows  for  general  business  applications,  and 
Macs  for  specialized  graphics  work.  ■ 

Korolov  is  a  freelance  business  and 
technology  writer  in  Massachusetts.  She  can 
be  reached  at  maria@tromblyinternational. 
com. 
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Managing  Development 
in  the  Cloud 


Keeping  a  cloud  software  development 
environment  operating  around  the  clock 
is  a  major  challenge.  Katsutoshi  Nihei  has 
that  responsibility  for  all  of  NEC  Corpora¬ 
tion,  a  $35  Billion  technology  leader,  as 
Senior  Manager  of  its  Software  Process 
Innovation  and  Standardization  Divi¬ 
sion.  His  operation  runs  NEC’s  “Soft¬ 
ware  Factory”,  a  companywide  platform 
for  all  development  activities,  which  is 
charged  with  standardizing  and  accel¬ 
erating  software  development  to  bring 
new  applications  to  customers  faster  and 
optimize  costs.  He  recently  discussed  how 
he  implemented  NEC’s  Programmable- 
Flow  Networking  to  manage  a  virtualized 
development  environment  for  use  across 
the  company. 

What  are  the  challenges  of  hosting  a 
cloud-based  development  environment? 

Software  Factory  operates  one  data  center 
in  East  Japan  and  one  in  West  Japan  to 
provide  a  common  development  envi¬ 
ronment  across  all  NEC  operations. 
Operating  a  cloud  software  development 
environment  24x7  requires  high  avail¬ 
ability  and  high  performance.  Virtual¬ 
ization  enables  optimal  server  resource 
utilization  and  high  availability,  but  it  can 
take  considerable  effort  to  change  the 
network  when  virtual  servers  are  added, 
changed  or  removed.  Without  Software 
Defined  Networking  and  Programmable- 
Flow,  you  would  have  to  do  this  manually, 
it  is  time  consuming  to  change  router 
configurations  and  IP  addresses  and  can 
lead  to  setup  errors.  It’s  also  expensive  to 
operate  redundant  hardware  in  multiple 
locations. 

How  has  the  adoption  of  Programmable- 
Flow  impacted  the  Software  Factory? 

ProgrammableFlow  delivers  a  network 
that  can  adapt  to  expansion  and  changes 
of  virtual  servers  quickly  and  easily.  We 
no  longer  need  to  change  the  assignment 


of  IP  addresses  during  relocation  of  a  VM, 
which  increases  operational  flexibility. 
Also,  previously  we  operated  duplicate 
standby  equipment  in  each  data  center  for 
maintenance  purposes,  but  now  we  keep 
standby  equipment  in  only  one  of  the  data 
centers,  saving  tens  of  millions  of  dollars  in 
hardware  and  operational  costs. 

What  was  the  impact  on  your  ability  to 
manage  and  monitor  network  resources? 

As  network  configurations  become 
increasingly  complex,  it  can  be  difficult 
to  get  an  overview  of  where  and  how  data 
communication  is  flowing.  The  Program¬ 
mableFlow  GUI  clearly  displays  the 
physical  and  virtual  network  topology  and 
communication  flow,  making  for  more 
efficient  management. 

Currently,  we  are  centrally  managing 
both  East  Japan’s  and  West  Japan's  network 
from  our  headquarters  in  Tokyo.  Before 
this  implementation,  the  East  Japan  data 
center  was  close  to  its  computational  limit, 
but  now  we  can  provide  it  with  access  to 
several  of  West  Japan’s  virtual  machines. 

What  does  this  mean  for  your  developers? 

We’re  able  to  prepare  multiple  logical 
virtual  tenant  networks  and  create  a  secure 
development  environment  sharing  the 
same  physical  network,  without  having  to 
manually  prepare  a  physical  server  environ¬ 
ment  for  each  tenant.  If  we  had  to  set  up 
separate  physical  servers  to  house  an  appli¬ 
cation  server,  a  web  server  and  database 
server  in  order  to  meet  developer  needs, 
it  would  make  it  very  difficult  for  us  to 
actually  achieve  our  goals  of  improving  the 
quality,  cost  and  delivery  of  NEC  solutions. 

How  will  this  impact  future  plans? 

We  think  this  makes  it  possible  to  build  a 
development  and  test  environment  that  is 
essentially  isolated  from  any  other  envi¬ 
ronment  on  the  network,  but  available  as 
an  on-demand  service  to  developers.  ■ 
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Fastest  growing  security  jobs 


April  2012 

April  2011 

%  Change 

Cybersecurity 

920 

528 

74% 

Network  Security 

1,960 

1,452 

35% 

Information  Security 

1,771 

1,346 

32% 

Security  Engineer 

690 

533 

29% 

Data  Security 

541 

420 

29% 

Application  Security 

638 

550 

16% 

SOURCE:  DICE.COM 


►  Cybersecurity,  from  page  1 

The  number  of  cybersecurity- 
related  job  openings  listed  on  the 
Dice.com  website  for  IT  profes¬ 
sionals  rose  significantly  in  April 
2012  compared  to  a  year  ago.  The 
biggest  increase  was  for  cyber¬ 
security  specialists,  which  rose 
74%  with  920  open  job  listings. 

U.S.  companies  also  are  hiring 
thousands  of  network  security, 
information  security  and  appli¬ 
cation  security  experts. 

“Every  year,  threats  go  up,  so 
every  year  companies  increase 
investment  in  security,”  says 
Tom  Silver,  senior  vice  president  of  North 
America  for  Dice.  “On  Dice,  information  secu¬ 
rity  jobs  reached  an  all-time  high  last  month 
....  Companies  want  security  professionals 
to  counter  breaches  and  also  anticipate  gaps, 
suggesting  measures  to  fill  them.  Protection 
is  key.” 

Several  trends  are  driving  the  demand 
for  cybersecurity  experts.  Companies  have 
increasingly  complex  networks,  more  trans¬ 
actions  to  process,  and  more  data  than  ever. 
They’re  using  cloud  applications  such  as  Sales- 
force  and  Taleo,  which  extends  their  need  for 
information  security  outside  the  perimeter  of 
their  networks.  Additionally,  they’re  dealing 
with  a  flood  of  user-owned  mobile  devices  such 
as  smartphones  and  tablets. 

The  cybersecurity  skills  needed  three  years 
ago  compared  to  now  “is  a  whole  different  ball- 
game,”  says  Sudhir  Verma,  vice  president  of 
consulting  services  and  project  management 
at  Force  3,  a  Crofton,  Md„  government  con¬ 
tractor  that  is  hiring  several  senior  engineers, 
solutions  architects  and  analysts  for  its  secu¬ 
rity  team. 

“Three  years  ago,  the  iPad  was  not  in  play. 
Now  we’re  hiring  experts  in  our  practice 
who  understand  the  bring-your-own-device 
and  consumerization  trends,”  Verma  says. 
“Everything  is  in  flux  with  the  move  to  the 
cloud  and  mobile  devices.  It’s  no  longer 
about  managing  firewalls  for  IT  security.  It’s 
beyond  that.  It’s  about  how  to  protect  informa¬ 
tion  in  the  enterprise  in  an  environment  that 
includes  cloud  applications  and  tablets.” 

All  of  these  trends  are  prompting  CIOs  and 
CISOs  to  hire  experienced  security  profes¬ 
sionals  to  safeguard  their  sensitive  informa¬ 
tion.  They  are  particularly  concerned  about 
protecting  intellectual  property  from  theft  by 
government-sponsored  hackers  from  coun¬ 
tries  such  as  China. 

“There’s  certainly  a  great  need  in  the  mar¬ 
ket,  with  cybersecurity  breaches  costing  U.S. 
companies  upwards  of  $400  billion  annually 
in  intellectual  property  theft  alone,”  says  Don 


Hanson,  senior  vice  president  with  Yoh,  an  IT 
staffing  agency. 

Hanson  sees  demand  for  developers  who 
can  build  secure  applications,  network  engi¬ 
neers  with  security  certifications,  and  archi¬ 
tects  who  understand  how  to  secure  systems 
and  processes.  He  says  there  is  also  a  need  for 
IT  professionals  to  be  involved  with  security 
monitoring,  information  assurance  and  regu¬ 
latory  compliance. 

“The  biggest  need  is  for  folks  that  are 
working  in  security  with  cutting-edge  tech¬ 
nologies,”  Hanson  says.  “There  are  so  many 
mobile  devices  out  there,  it’s  important  to  add 
the  layer  of  mobile  device  management  and  to 
understand  how  that  additional  layer  works.” 

Hanson  says  companies  are  looking  to  hire 
IT  professionals  with  experience  in  security 
information  event  management,  intrusion 
detection,  data  loss  prevention  and  logging 
systems,  as  well  as  those  with  certifications 
related  to  ethical  hacking  and  digital  foren¬ 
sics.  However,  they  prefer  to  hire  IT  profes¬ 
sionals  with  a  big-picture  perspective  on 
security  issues  rather  than  expertise  in  only 
one  type  of  security  device. 

“It’s  not  so  much  about  any  one  technology 
or  any  one  point  product,”  Hanson  says.  “It’s 
more  about  a  holistic  approach  to  security 
that  companies  are  taking  that  includes  their 
policies  and  assets  across  their  entire  infor¬ 
mation  architecture.” 

The  titles  for  open  cybersecurity  jobs  vary, 
with  the  most  popular  being  security  engi¬ 
neers,  security  analysts  and  security  archi¬ 
tects.  Other  organizations  favor  the  terms 
cybersecurity  analysts  and  information 
assurance  analyst. 

“We’re  looking  now  for  cybersecurity 
intelligence  analysts  and  information  assur¬ 
ance  analysts  who  understand  how  to  look 
at  information  not  only  from  a  technical  and 
logical  security  standpoint,  but  who  can  relate 
that  back  to  risk  management  and  business 
process  risk,”  says  Jacob  Braun,  president 
and  COO  of  Waka  Digital  Media  Corp.,  a 


Boston-based  IT  security  con¬ 
sulting  firm.  “We’re  looking  for 
people  who  can  look  at  attacks 
in  progress  and  can  find  occur¬ 
rences  that  are  symptomatic  of 
attacks  and  ...  can  help  mitigate 
potential  for  future  attacks.” 

Most  of  these  high-paying 
cybersecurity  jobs  are  not  for 
recent  computer  science  gradu¬ 
ates;  instead  companies  are  look¬ 
ing  to  hire  IT  professionals  with 
five  to  15  years  of  experience  with 
security  systems  and  processes 
as  well  as  related  certifications. 

“A  cybersecurity  analyst  is 
someone  who  has  nine  to  15 
years  of  professional  experience,  preferably 
has  a  master’s  degree  and  possesses  a  vari¬ 
ety  of  information  security  certifications,” 
Braun  says.  “Salary  depends  on  geography 
and  industry.  It  can  range  anywhere  from 
$80,000  to  $150,000.  If  an  individual  has 
a  unique  set  of  experience,  it  can  be  signifi¬ 
cantly  higher,  especially  for  consultants.” 

Last  year,  Unisys  hired  an  IT  security  direc¬ 
tor  and  expanded  its  IT  security  staff.  Now  the 
company  is  looking  for  knowledge  of  security 
principals  in  all  of  its  ongoing  IT  hires,  includ¬ 
ing  application  developers  and  network  engi¬ 
neers,  says  Unisys  CISO  Dave  Frymier. 

“The  reason  that  senior  application  archi¬ 
tects  and  senior  network  engineers  have  got  to 
have  security  knowledge  is  because  we  want  to 
bake  security  into  the  early  parts  of  the  devel¬ 
opment  process,”  Frymier  says.  “I’ve  inter¬ 
viewed  several  application  architects  who  had 
sterling-looking  resumes  and  when  I  asked 
them  to  describe  an  SQL  injection  attack,  they 
couldn’t  do  it.  We  didn’t  hire  them.” 

Unisys  has  15  cybersecurity  professionals 
on  staff  out  of  an  overall  group  of  150  IT  pro¬ 
fessionals.  Frymier  says  Unisys  needs  cyber¬ 
security  expertise  in  its  IT  architecture  and  IT 
operations. 

“The  breaches  that  are  occurring  are  prob¬ 
lems  on  the  operational  side,”  he  explains. 
“Somebody  who  runs  a  security  information 
and  event  management  system  has  to  have  a 
lot  of  experience  ...  so  they  can  deal  with  the 
false  positives.  Those  systems  throw  out  lit¬ 
erally  gigabytes  worth  of  data.  You  have  to 
be  able  to  filter  through  that  and  find  the  stuff 
that  really  shouldn’t  be  there.” 

Demand  for  cybersecurity  experts  is 
expected  to  remain  strong. 

For  example.  Department  of  Homeland 
Security  Secretary  Janet  Napolitano  told  a 
Senate  committee  in  April  that  cyberattacks 
are  her  No.  1  concern.  She  said  there  is  a  short¬ 
age  of  cybersecurity  experts  to  help  federal 
agencies  thwart  cyberattacks,  which  exceeded 
106,000  last  year.  ■ 
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Now  all  personal  and  corporate-owned  BlackBerryf 
iOS  and  Android  devices  can  seamlessly  access 
business  data  and  applications  on  a  single, 
secure  management  platform.  To  find  out  how 
this  new  approach  will  end  mobile  chaos,  visit 
blackberry.com/mobilefusion 


BlackBerry 


TREND  ANALYSIS 


IT  shops  sifting  RIM’s  bold 
promises  and  plans 


BY JOHN  COX 

ORLANDO  —  Research  in  Motion  executives 
and  managers  practiced  staying  “on  message” 
at  BlackBerry  World  last  week,  repeating  a 
series  of  mantras  about  the  company’s  direc¬ 
tions  and  product  plans.  Yet  the  simple  mes¬ 
sage  is  running  into  the  hard  practicalities 
of  enterprise  IT  customers,  and  they  want 
details  and  nuance. 

Sometimes  both  were  in  short  supply 
at  RIM’s  annual  customer  conference  in 
Orlando.  RIM  is  in  the  middle  of  a  life-or- 
death  transition,  moving  to  a  new  operating 
system,  building  support  for  it  from  applica¬ 
tion  vendors  and  software  developers,  and 
crafting  the  next  generation  of  smartphones 
and  tablets  due  out  later  this  year.  RIM  is  cre¬ 
ating  plans  and  products  at  a  rapid  pace  for 
both  consumer  and  enterprise  markets. 

But  RIM’s  enterprise  customers  are  incred¬ 
ibly  diverse.  Some  are  stable  for  even  fast¬ 
growing  BlackBerry  shops.  Some  use  the 
phones  only  for  email  and  voice  calls,  others 
with  only  minimal  app  downloads.  Nearly 
all  of  them  are  at  different  stages  of  strug¬ 
gling  with  how  to  deal  with  employees  at  all 
levels  who  bring  non-BlackBerry  devices  to 
work  and  want  to  access  email  at  least  and 
sometimes  more,  often  to  the  detriment  of 
RIM.  Surprisingly,  few  of  those  interviewed 
are  closely  following  BlackBerry  10,  the  next- 
generation  mobile  operating  system  high¬ 
lighted  at  BlackBerry  World. 

Cereal  company  MOM  Brands,  until 
recently  known  as  Malt-O-Meal,  has  about 
500  BlackBerry  users,  but  few  of  them  seem 
really  satisfied  with  their  smartphones, 
according  to  a  pair  of  technical  support  ana¬ 
lysts  at  BlackBerry  World.  “Most  of  our  users 
are  not  BlackBerry  fans,”  says  Tim  Wood. 
“They  want  the  iPhone.” 

Colleague  David  Aman  says  he  walks 
through  the  company  and  often  sees  a  user’s 
BlackBerry  lying  on  the  desk,  “and  another 
[brand  of]  phone  right  next  to  it.  It’s  silly.” 
Some  of  the  dissatisfaction  is  caused  by  a  raft 
of  small  and  not-so-small  annoyances,  rang¬ 
ing  from  podcasts  being  stopped  when  a  call 
comes  in  and  never  resuming,  to  frustratingly 
poor  battery  performance. 

Top  executives  now  want  iPads  and 
iPhones,  many  of  which  are  being  informally 
“tested”  by  these  senior  managers  who  bring 
them  to  work  and  then  want  support.  Aman 
says  that  IT  is  considering  adopting  a  bring- 
your-own-device  (BYOD)  regime  as  a  way 


of  simplifying  mobile  confusion  and  IT’s 
responsibilities. 

Yet  at  South  Africa-based  Sasol,  a  global 
chemicals  manufacturer,  the  mobile  policy 
bans  personal  devices  in  favor  of  corporate- 
issued  BlackBerry  smartphones.  At  Sasol 
North  America,  headquartered  in  Houston, 
systems  administrator  Tray  Gonzalez  has 
about  2,000  BlackBerry  users  in  various 
regions,  with  500  in  the  U.S.  The  number  has 
been  increasing  and  field  sales  staff  are  now 
testing  a  few  BlackBerry  PlayBook  tablets. 

“We  haven’t  allowed  BYOD,  but  so  many 
people  are  requesting  it,  that  we’re  looking 
into  it,”  Gonzalez  says.  One  concern  is  that  a 
change  in  policy  would  lead  to  an  unmanage¬ 
able  explosion  of  iOS  and  Android  devices. 

Gonzalez  says  he’s  impressed  with  RIM’s 
recent  release  of  the  BlackBerry  Device 
Service  (BDS),  an  application  for  manag¬ 
ing  PlayBooks  and  all  future  BlackBerry  10 
devices,  and  Universal  Device  Service  (UDS), 
for  managing  iOS  and  Android  devices, 
under  the  umbrella  product  name  of  Black¬ 
Berry  Mobile  Fusion.  The  classic  BlackBerry 
Enterprise  Server  (BES)  is  needed  for  manag¬ 
ing  existing  handsets  running  the  traditional 
BlackBerry  OS.  A  Web  portal,  called  Mobile 
Fusion  Studio,  lets  an  administrator  see  the 
three  separate  device  groups  in  a  unified  view. 

Gonzalez  plans  to  download  the  free, 
60-day  trial  version  of  the  Device  Service  and 
test  it  out.  “I  think  it’s  great,”  he  says. 

The  Mobile  Fusion  family  promises  to  let 
IT  centralize  a  multi-platform  device  popula¬ 
tion  at  Bed,  Bath  &  Beyond,  the  housewares 
and  home  furnishings  retailer  based  in 
Union,  N.J.  Currently  there  are  a  little  less 
than  500  corporate-issued  BlackBerry  users, 
and  now  under  the  company’s  recent  BYOD 
program,  about  300  iOS  users,  says  Paul 
Rubino,  the  company’s  wireless  supervisor. 
Some  but  not  all  of  the  iOS  users  are  former 
BlackBerry  users. 

PlayBooks  are  being  tested  in  some  stores, 
along  with  an  in-house  app  for  real-time  inven¬ 
tory  management,  and  BlackBerry  Device  Ser¬ 
vice  would  be  the  central  tool  for  managing  a 
far-flung  deployment,  Rubino  says. 

But  some  users  are  waking  up  to  the  poten¬ 
tial  costs  of  RIM’s  Mobile  Fusion  approach 
for  mobile  device  management  (MDM):  a 
burgeoning  back  end  of  separate  servers. 
A  multibillion-dollar  diversified  manufac¬ 
turer  has  4,500  BlackBerry  users,  but  also 
has  600  Apple  iPads,  which  are  managed 
by  SAP’s  Sybase  Afaria  mobile  management 


RIM  CEO  Thorsten  Heins  demos  a  smartphone 
running  BlackBerry  10  at  BlackBerry  World  in 
Orlando  last  week. 


application.  The  company  also  has  just 
installed  BlackBerry  Device  Service,  to  man¬ 
age  the  few  existing  PlayBooks  but  in  expecta¬ 
tion  of  more  in  the  future.  The  idea  is,  “We  have 
4,500  users  with  the  BES,”  says  an  IT  staffer 
who  manages  mobile  infrastructure  support, 
and  who  spoke  on  condition  of  anonymity.  “If 
we  can  leverage  that,  that’s  good,” 

But  there  are  stumbling  blocks.  BDS  and 
UDS,  as  do  most  other  MDM  offerings,  typi¬ 
cally  use  Microsoft  Exchange  ActiveSync. 
EAS  can  be  used  to  deliver  email  as  well  as 
to  exploit  management  or  security  features 
offered  by  Exchange  Server.  RIM  uses  EAS 
in  these  services  to  deliver  mail  to  non-Black- 
Berry  devices.  That  came  as  a  surprise  to  the 
IT  staffer  at  the  big  manufacturer.  “We  were 
expecting  to  get  secure  mail  delivery,”  he  says. 
“So  now,  it’s  Microsoft  that’s  giving  us  our 
‘secure’  mail?” 

In  a  conference  session  introducing  Mobile 
Fusion,  John  Edward,  a  RIM  senior  product 
manager,  said  the  company  leverages  Active- 
Sync  but  “we  add  a  secure  container  on  the 
device  and  a  secure  tunnel  [to  the  enterprise].” 

There  are  also  the  separate  back-end  serv¬ 
ers  that  host  BDS  and  UDS.  Currently  the 
manufacturer  has  four  BES  servers,  two  of 
them  as  high-availability  backups,  to  support 
the  BlackBerries  in  use.  Both  BDS  and  UDS 
will  require  one  or  two  or  possibly  more  serv¬ 
ers,  and  if  they’re  part  of  a  high-availability 
deployment,  a  backup  server  for  each.  The 
total  BlackBerry  server  population  could 
double  or  more,  he  says. 

Because  the  current  BES  architecture  will 
not  support  BB10,  enterprises  will  have  to 
deploy  and  test  BlackBerry  Device  Service, 
before  the  rumored  October  2012  release  date 
of  the  first  BB10  devices,  he  points  out.  ■ 
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An  RDP  client  and  a  smartphone  copter 


h,  what  a  week  it’s  been. 

Raveling  the  unraveled  and  fixing 
stuff  I  thought  was  fixed. 

So,  my  first  find  of  the  week:  I’m 
moving  all  of  my  Windows  desktop 
I  boxes  out  into  a  rack  and  the  only 
I  machines  I’ll  have  in  my  office  will  be 
an  iMac  and  a  small  flock  of  laptops  and  pad-style 
devices.  Nice.  But  what  Remote  Desktop  Protocol 
(RDP)  client  to  use  on  my  iMac  so  I  can  access  my  PCs? 


•w 

Mark  Gibbs’  Gearhead 


Microsoft’s  RDP  client,  Remote  Desktop 
Connection  Client  2.1  doesn’t  support  OS 
X  10.7  or  later.  Meh.  Then  I  found  CoRD, 
which  is  FOSS  (free  open  source  software), 
small,  fast,  and  runs  on  all  versions  of  OS  X. 

CoRD  is  actually  a  native  OS  X  Cocoa 
interface  (API)  version  of  redesktop,  another 
FOSS  product  that  has  spawned  a  whole 
family  of  RDP  clients,  including  CoRD,  that 
cover  a  wide  range  of  operating  systems. 

When  running  multiple  sessions  you  can 
have  them  in  separate  panes  or  have  all  ses¬ 
sions  unified  into  a  single  window  along  with 
the  pane  that  lists  your  saved  servers. 

You  can  run  remote  sessions  full 
screen  and  also  have  any  or  all 
of  your  local  drives  “forwarded”  to  the 
remote  machines  so  they  appear  to  be  local 
to  the  remote  computer  (the  drives 
appear  under  “Computer”).  It’s 
worth  noting  that  even  if  you  change  drive 
forwarding  in  the  application  preferences, 
that  only  enables  or  disables  forwarding 
globally  so  you’ll  also  need  to  enable  for¬ 
warding  for  each  session  you  set  up. 

I’ve  only  been  running  CoRD  for  a  short 
time  but  it  appears  to  be  completely  stable  as 
well  as  being  fast  and  doing  the  job  perfectly. 
CoRD  gets  a  Gearhead  rating  of  5  out  of  5. 

My  next  delight  is  a  helicopter.  Well, 
actually  an  electric  toy  helicopter:  the  Griffin 
Helo  TC  Assault,  which  I  feel  is  reasonable  to 
include  in  this  column  as  it  uses  a  free  iOS  or 
Android  app  for  control  so  it  kind  of  fits  the 
whole  consumerization  of  IT  and  bring  your 
own  device  thing.  (Ha!) 

These  flying  machines  are  small  (the 


fuselage  is  just  8  inches  long)  and  you 
charge  the  internal  rechargeable  battery 
using  the  supplied  USB  cable  with  a  special 
connector  at  the  helicopter  end. 

The  Helo  TC  Assault  is  cooler  than  its 
older  brother,  the  Helo  TC,  because  it  has 
a  pair  of  missiles  that  can  be  fired  while 
you’re  flying!  The  controller  for  the  Helo 
is  a  block  that  clips  on  to  the  side  of  your 
smartphone.  This  device  has  a  lead  with  a 
jack  that  plugs  into  your  phone  and  a  bank 
of  infrared  LEDs  on  its  edge. 


The  Helo  app  on  the  smartphone  com¬ 
municates  with  the  controller  via  audio  tones 
and  controls  the  helicopter’s  lift  power  and 
trim  adjustment  along  with  control  of  for¬ 
ward  and  backward  movement,  left  and  right 
rotation,  and,  if  you’re  flying  the  Assault 
version,  firing  of  each  missile  individually. 
There’s  also  an  emergency  landing  button  so 


if  you  lose  control  (as  I  often  do)  you  can  try 
for  a  soft  landing  or  at  least  one  where  you 
don’t  mangle  the  rotors.  You  can  also  record  a 
flight  pattern  and  replay  it. 

Three  people  can  each  fly  a  Helo  simulta¬ 
neously  (the  controllers  allow  you  to  choose 
one  of  three  control  channels)  so  the  possi¬ 
bility  of  conducting  after-office  hours  aerial 
battles  in  the  cubicle  farm  awaits  you. 

The  Helo  TC  Assault  is,  I  must  admit, 
tricky  to  fly  (maintaining  altitude  requires 
some  skill)  and  my  unit  seems  to  have  a 
battery  fault,  reducing  its  flying  time  from  a 
typical  10  minutes  down  to  about  60  seconds. 
Even  so,  the  Griffin  Helo  TC  Assault,  priced  at 
$59.99,  gets  a  Gearhead  rating  of  4.5  out  of  5. 

My  final  techno-frippery  of  the  week  is  a 
service  I  have  just  installed  called  SpiderOak. 
SpiderOak  provides  cloud-based  backup, 
file  synchronization,  and  file  sharing  across 
multiple  machines  running  different  OSs. 

“Meh,”  you  might  be  muttering.  “There 
are  scores  of  online  backup  services ...  what 
makes  this  one  noteworthy?”  The  answer, 
my  friend,  is  SpiderOak’s  “Zero-Knowledge 
Privacy  Standard.” 

The  big  idea  here  is  that  all  data  leaving 
your  computer  is  encrypted  before  it  gets 
transferred  and  SpiderOak  has  no  way 
to  view  your  content.  The  feds  could,  it 
is  claimed,  subpoena  SpiderOak  to  their 
heart’s  content  and  SpiderOak  could  tell 
them  nothing.  Nyet.  Nada.  So,  if  you  have 
deep,  dark  secrets  that  need  backing  up 
and/or  sharing  this  could  be  the  service 
for  you. 

SpiderOak  sees  Dropbox  and 
Box  as  its  primary  competition 
and,  at  $10  for  100GB  per  month, 
SpiderOak  is,  respectively,  half  and 
a  quarter  of  the  price  monthly  of  the 
other  services  as  well  as  far  more  private. 

Having  only  just  installed  the  SpiderOak 
I  can’t  say  that  I  really  know  all  the  ins  and 
outs  of  how  the  service  works  but,  so  far,  I’m 
impressed.  I’ll  rate  SpiderOak  sometime  in 
the  next  few  weeks.  ■ 

Gibbs  is  in  the  clouds  in  Ventura,  Calif.  Store 
your  thoughts  to  gearhead@gibbs.com. 


Griffin’s  Helo  TC  Assault  toy 
helicopter  is  controlled  via  smartphone  app. 
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GADGETS 

Easy-to-mold  custom  earbuds; 

2TB  portable  storage  for  Mac  users 


Keith  Shaw’s 
Cool  Tools 


THE 

SCOOP 


Sculpted  eers 

by  Sonomax  Technologies, 
about  $300 


►  What  it  is:  Eers  are  custom  earbuds  with 
an  in-line  microphone  that  feature  the  com¬ 
pany’s  Sonofit  Fitting  System,  which  molds 
the  earbuds  to  the  shape  of  the  user’s  ear  — 
the  outside  part  and  just  inside  the  ear  canal. 
This  creates  a  unique  custom  fit  and  shape 
—  once  you  create  the  earbuds,  nobody  else 
can  use  or  borrow  them  for  such  a  fit. 

►  Why  it’s  cool:  A  few  years  ago,  I  had  a  pair 
of  Ultimate  Ears,  which  required  a  visit  to  an 
audiologist  to  get  them  custom  molded.  The 
earbuds  worked  great,  but  the  plastic  form 
eventually  got  uncomfortable  when  wearing 
them  during  long  stretches.  Not  only  is  the 
process  easier  with  the  eers,  but  the  materials 
used  feel  a  lot  more  comfortable  inside  my 
ears  than  hard  molded  plastic. 


The  process  involves  squirting  some  solu¬ 
tion  on  the  unformed  earbuds,  then  sticking 
them  in  your  ears  for  five  minutes  (the  unit 
comes  with  an  old-school  headphone-like 
device  that  helps  you  keep  the  earbuds  in 
your  ears  during  the  molding  process). 

The  earbuds  are  then  ready  to  use,  and  the 
shape  formed  through  this  process  makes 
them  unique  to  you.  The  earbuds  also  have  a 
handy  ear  loop  that  you  can  put  behind  your 
ears,  for  a  more  secure  fit. 

The  earbuds  sound  great,  making  them 
wonderful  for  taking  along  with  you  on  a 
long  flight,  or  if  you  want  earbuds  that  aren’t 
going  to  fall  out  when  you  are  working  out. 

►  One  caveat:  At  first  the  molding/sculpt¬ 
ing  process  can  feel  a  bit  daunting,  so  having 
someone  help  you  with  the  fitting  is  a  sug¬ 
gestion.  Also,  when  finished,  the  earbuds 
didn’t  completely  seal  inside  my  ears  like  I 
expected  them  too,  so  I  thought  I  may  have 
messed  up  the  process.  But  in  the  end,  I 
think  it’s  a  good  thing,  as  this  made  them  feel 
more  comfortable  than  if  I  had  jammed  them 
inside  my  ears  during  the  molding  process. 

►  Grade  ★★★★  (out  of  five). 
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My  Passport 
Studio  portable 
hard  drive 


by  Western  Digital,  about  $300  (for  2TB;  other 
capacities  include  1TB  for  $200, 750GB  for 
$180  and  500GB  for  $160) 


►  What  it  is:  A  portable  high-speed  storage 
drive  designed  for  the  Mac,  the  My  Passport 
Studio  provides  two  FireWire  800  ports  and 
one  USB  2.0  port  and  a  solid  metal  enclosure 
that  gives  Mac  users  additional  storage 
capacity.  The  drive  can  act  as  a  Time  Machine 
backup  for  the  Mac,  as  well  as  just  providing 
file  storage  space.  The  unit  also  comes  with 
WD  Drive  Utilities  and  WD  Security  apps, 
which  provide  diagnostics,  a  sleep  timer, 
erase  functionality  and  encryption. 


►  Why  it’s  cool: 

I  like  the  addition  of 
a  second  FireWire 
800  port.  This  lets 
you  daisy  chain  an 
additional  external 
storage  drive,  or 
you  can  attach  a 
different  peripheral 
—  this  is  handy  if 
you  have  multiple 
devices  that  need  the  FW800  port  on  your 
system.  Another  plus  is  that  the  drive  comes 
with  a  FW800  and  USB  2.0  cable,  instead  of 
having  them  sold  separately. 

During  my  speed  tests,  I  achieved 
between  62M  and  65MBps  of  write  speeds, 
and  between  15M  and  35MBps  of  read 
speeds  (depending  on  the  test  and  platform 
performed).  This  was  slower  than  some 
tests  I’ve  done  via  USB  3.0  drives,  so  don’t 
expect  super-speed  data  transfers  with 
this  drive  (if  you  are,  head  to  Thunderbolt- 
connected  units). 


►  Bottom  line:  If  you’re  a  Mac  user  and 
you’re  looking  for  a  solid  drive  with  a  ton  of 
capacity  (you’d  be  amazed  about  how  fast 
your  hard  drive  fills  up  when  editing/creat¬ 
ing  videos),  this  is  worth  a  look. 

►  Grade  ★★★★ 


Shaw  can  be  reached  at  kshaw@nww.com. 
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We  discovered  that  although  the 
four  products  tested  show  promise, 
there’s  still  work  to  be  done.  Check 
Point,  SonicWall  and  Fortinet  were 
clustered  at  the  top  of  our  scorecard, 
but  still  have  areas  we  hope  to  see 
improved.  Barracuda  didn’t  score  as  well, 
but  is  in  the  middle  of  a  significant  product 
upgrade. 

The  defining  characteristic  of  a  next-gen¬ 
eration  firewall  is  the  ability  to  identify  and 
control  traffic  at  the  application  layer,  so  we 
designed  a  suite  of  40  tests  in  nine  catego¬ 
ries  to  see  how  well  the  firewalls  lived  up  to 
their  billing. 

No  one  came  close  to  a  perfect  score,  with 
SonicWall  SonicOS  identifying  and  block¬ 
ing  26  of  our  40  test  applications,  followed 
closely  by  Check  Point  Security  Gateway 
with  24,  Fortinet  FortiGate  with  21  and  Bar¬ 
racuda  NG  Firewall  with  18. 

(Editor’s  Note:  In  the  first  part  of  this  test, 
which  appeared  on  April  23,  vendors  sub¬ 
mitted  their  biggest,  fastest  boxes  to  David 
Newman’s  lab  in  California  for  performance 
testing.  We  allowed  vendors  to  send  a  smaller, 
lighter  device  within  the  same  product  fam¬ 
ily  to  Joel  Snyder’s  Arizona  lab  for  features 
testing.  In  every  case  except  SonieWall’s,  the 
actual  product  name  was  the  same  for  both 
tests,  just  a  different  model  number.  In  Son- 
icWall’s  case,  we  tested  the  SuperMassive 
E10800  for  performance  and  the  NSA  E8500 
for  features,  so  to  avoid  any  confusion  we’re 
referring  to  the  product  here  as  SonicOS,  the 
operating  system  both  models  share.) 

In  our  features  testing,  some  apps  caused 
more  problems  than  others.  For  example, 
in  our  quest  for  recent  episodes  of  “The  Big 
Bang  Theory”  (porn  for  geeks).  Check  Point 
and  SonicWall  blocked  our  BitTorrent  cli¬ 
ent  from  reaching  out  and  touching  Sheldon, 
while  Barracuda  and  Fortinet  didn’t. 

On  the  other  hand,  Check  Point  couldn’t 
block  Skype  and  none  of  the  products 
blocked  Google’s  Gmail,  which  slipped 
through  when  we  hit  the  “click  here  for  basic 
HTML  if  your  browser  is  not  showing  you 
your  email”  button. 

SonicWall  has  so  many  subdivisions  of 
every  application,  none  of  which  were  doc¬ 
umented  or  made  any  sense  to  us,  that  we 
gave  it  a  failing  score  when  we  tried  to  allow 
end  users  to  see  Facebook,  but  not  post  to  it  — 
one  of  vendor  marketing’s  favorite  examples 
of  why  a  next-generation  firewall  is  a  good 


BY  JOEL.  SNYDER _  _  _ 

When  we  tested  four  next-generation  firewalls  strictly  on  performance,  we  found 
that  the  products  could  forward  packets  at  impressive  rates,  but  throughput 
dropped  when  advanced  security  features  were  turned  on.  We  now  dive 
deep  into  application  identification  and  control  —  the  defining  features  of 
next-gen  firewalls  —  to  find  out  what  works  and  what  doesn’t. 


NEXT-GENERATION  FIREWALLS  (PART  2) 

Application  layer  firewalls: 
Off  to  a  good  start 

Check  Point,  SonicWall  and  Fortinet  lead  the  way, 
but  all  four  products  tested  are  a  work  in  progress 


li 
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Product 

SonicWall 

SonicOS 

Fortinet 

FortiGate 

Check 

Point 

Security 

Gateway 

Barracuda 

NG 

Firewall 

Anti-Malware  and  URL  Filtering  (10%) 

4 

4 

4.5 

3 

Intrusion  Prevention  (10%) 

3.5 

4 

4.5 

3.5 

SSL  Decryption  (15%) 

4.5 

3.5 

3.5 

3 

Next-Generation  Application 
Identification  (30%) 

4 

3.5 

4 

3 

Basic  Firewall  Features  (10%) 

4.5 

4.5 

5 

4 

IPv6  Feature  Set  (5%) 

2.5 

3 

3 

2.5 

Next-Generation  Visibility  (20%) 

3.5 

4 

4 

3.5 

Total 

3.9 

3.8 

4.1 

3.2 

idea.  It  was  possible  to  block  Facebook  com¬ 
pletely,  but  you  can  do  that  with  a  URL  filter 
—  you  don’t  need  a  next-generation  firewall. 
SonicWall  would  have  had  a  higher  score  if 
its  application  identification  GUI  wasn’t  so 
poorly  designed. 

The  Check  Point  Security  Gateway  has  a 
fantastic  management  interface  for  applica¬ 
tion  identification  and  control  that  is  much 
easier  to  use  than  the  other  products  we 
tested.  However,  the  engine  underlying  that 
interface  doesn’t  work  as  well  as  SonicWall. 
For  example,  we  could  easily  create  policies 
that  blocked  particular  parts  of  Facebook  or 
Linkedln,  but  those  policies  didn’t  actually 
work.  Only  when  we  blocked  all  of  Linkedln, 
for  example,  did  the  firewall  behave  properly. 

Fortinet’s  FortiGate  fit  somewhere  between 
SonicWall  and  Check  Point  on  the  manage¬ 
ment  interface  front.  Not  as  elegant  as  Check 
Point,  but  much  more  usable  than  SonicWall, 
FortiGate  was  easy  to  learn  and  use. 

But  FortiGate  stumbled  most  when 
encrypted  traffic  was  involved.  For  example, 
a  rule  to  block  the  popular  webmail  applica¬ 
tion  SquirrelMail  worked  great  when  Squir- 
relMail  was  run  over  standard  Port  80,  but 
if  we  encrypted  the  same  traffic  on  standard 
HTTPS  Port  443,  FortiGate  wouldn’t  block 
it  —  even  though  we  could  see  that  the  For¬ 
tiGate  was  decrypting  and  re-encrypting 
the  traffic  as  expected.  The  same  was  true 
of  Facebook  —  unencrypted  Facebook  was 
blocked  or  allowed  per  policy,  but  if  we 


simply  used  HTTPS  for  Facebook,  the  policy 
didn’t  work  properly. 

Barracuda  undergoing  update 

We  had  a  difficult  time  making  Barracuda’s 
next-gen  firewall  block  applications  without 
some  help  from  technical  support,  largely 
because  of  the  poor  design  of  the  manage¬ 
ment  GUI. 

For  example,  because  application  iden¬ 
tification  occurs  in  the  HTTP  and  HTTPS 
proxies,  which  are  separate  tools,  you  have 
to  duplicate  policy,  wasting  time  and  adding 
the  opportunity  for  errors  and  inconsisten¬ 
cies.  Barracuda  told  us  that  this,  and  other 
problems  we  had  in  the  GUI,  would  be  fixed 
in  release  5.4,  so  we  advise  waiting  until  that 
version  is  available  before  even  starting  to  test 
next-generation  features. 

Even  if  you  do  remember  to  change  the  pol¬ 
icy  in  both  proxies  in  the  Barracuda  NG  Fire¬ 
wall,  you  also  have  to  be  careful  when  defining 
applications  to  be  blocked.  Although  you  get 
to  pick  which  application  you  want  to  block  in 
the  first  screen  that  pops  up,  you  have  to  scroll 
down  for  three  full  screens  before  you  can 
enter  the  list  of  networks  this  rule  applies  to. 

Apparently,  if  you  leave  that  blank,  it  doesn’t 
apply  to  any  users  or  networks,  nor  is  there 
any  pop-up  dialog  box  saying  “you’ve  created 
a  new  rule  that  doesn’t  actually  do  anything.” 

Overall,  Barracuda  turned  in  the  low¬ 
est  application  identification  score  because 
it  didn’t  have  the  ability  to  match  as  many 


CLEAR 

CHOICE 

testL 


Palo  Alto 
stacks  up  well 

alo  Alto  Networks  has 
bet  everything  on  being  a 
next-generation  firewall. 
Without  the  next-generation 
hook,  Palo  Alto  has  little  chance 
at  breaking  into  the  established 
world  of  firewalls,  and  it's  done 
a  good  job  at  defining  the  cat¬ 
egory  on  its  own  terms. 

In  our  initial  foray  into  testing 
next-generation  firewalls  last 
August,  we  looked  at  Palo  Alto’s 
PA-5060  by  itself,  so  it's  only 
logical  to  consider  how  Palo 
Alto  stacks  up  against  the  four 
vendors  in  this  test. 

We  used  a  different  methodol¬ 
ogy  to  test  application  identifica¬ 
tion  between  the  two  tests,  so 
we  can’t  make  a  head-to-head 
comparison.  Palo  Alto’s  PA-5060 
had  a  higher  identification  rate 
when  we  passed  canned  appli¬ 
cations,  but  we  can't  generalize 
from  that.  However,  in  areas 
such  as  management  of  applica¬ 
tion  firewall  rules,  we'd  put  it  at 
the  top.  Likewise,  the  Palo  Alto 
PA-5060  had  a  good  design 
for  what  to  do  once  application 
traffic  matches,  again  putting  it 
at  the  top,  with  Check  Point's 
Security  Gateway. 

Since  Palo  Alto  didn’t  have  to 
carry  any  legacy  GUI  baggage 
with  it,  the  company  was  able 
to  design  its  management  from 
the  beginning  to  handle  the  inte¬ 
grated  application  identification 
and  threat  mitigation  features, 
all  at  once.  On  the  other  hand. 
Palo  Alto  has  a  way  to  go  with 
the  performance  of  its  manage- 
Sce  Palo  Alto,  page 36 
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applications  as  we  were  testing  for.  For  exam¬ 
ple,  the  NG  Firewall  didn’t  have  signatures 
for  generic  webmail  applications  or  tools 
such  as  Lotus  Notes,  Outlook  Web  Access  or 
SharePoint. 

Some  of  the  application  categories  the  NG 
Firewall  did  have  didn’t  make  a  lot  of  sense  to 
us.  For  example,  to  block  YouTube,  you  have 
to  block  “social  networking,”  which  does 
work  —  but  it  blocks  more  than  just  YouTube. 

And  when  a  category  was  successfully 
identified,  the  NG  Firewall  didn’t  always  suc¬ 
cessfully  block  it.  For  example,  Microsoft  and 
Apple  software  updates  showed  up  in  the  logs 
when  we  added  a  rule,  but  the  NG  Firewall 
wasn’t  able  to  successfully  block  them. 

Additional  features 

The  demand  for  next-generation  firewalls  may 
be  focused  on  application  identification,  but 
we  believe  that  there  are  other  ways  to  “widen 
the  tuple”  to  help  network  managers  classify 
and  control  traffic.  For  example,  we  found  that 
all  four  of  the  products  we  tested  let  us  add 
user  or  group  information  to  policies. 

We  were  interested  in  other  ideas  so  we  went 
looking  for  reputation-based  policies,  rate- 
based  policies  and  geography-based  policies. 
For  instance,  a  network  manager  might  want 
to  block  some  applications,  such  as  outbound 
FTP,  to  or  from  particular  geographic  areas. 

Fortinet’s  FortiGate  lets  you  write  rules 
that  refer  to  geography  rather  than  just  IP 
addresses.  But  more  often,  these  features 
were  not  integrated  into  the  firewall  rule  base. 
Check  Point  and  SonicWall,  for  example,  both 
allow  the  network  manager  to  control  traffic 
based  on  both  IP  reputation  and  geography, 
but  did  not  fully  integrate  this  feature  into  the 
firewall  rule  base;  FortiGate  has  a  slick  rate- 
based  policy  feature  designed  to  avoid  denial- 
of-service  attacks,  but  didn’t  integrate  it  into 
its  firewall  rule  base. 

It’s  a  little  early  in  the  world  of  next-gener¬ 
ation  firewalls  to  say  what  else  should  go  into 
firewall  rule  bases  beyond  application  and 
user  identification,  but  our  testing  showed 
that  engineers  are  thinking  about  different 
options  in  this  area. 

Another  area  still  out  for  discussion  is 
exactly  how  application  (and  other  next-gen¬ 
eration)  controls  are  integrated  into  the  next- 
generation  firewall.  One  school  of  thought 
suggests  that  they  should  be  folded  directly 
into  the  firewall  rule  base,  creating  a  single 
unified  policy  that  can  refer  to  IP  addresses 
and  ports,  users  and  applications  all  at  once. 
The  other  approach  seems  to  be  pulling  appli¬ 
cation  controls  out  into  a  separate  rule  base. 

In  testing  four  products,  we  found  four 
approaches  to  this  question.  All  four  left 


Application-layer  test  results 

We  tested  each  next-gen  firewall  against  40  traffic  types  to  see  if  the  device 
could  identify  and  block  traffic.  (A  checkmark  means  the  firewall  passed  the 
test;  an  x  means  it  didn’t.) 


Foriinel 

f: 

SonicWall 

Barracuda 

Check  Point 

FortiGate 

SoiticOS 

NG  Firewall 

Security  Gateway 

CHAT  AND  WEBMAIL  (DATA  LEAK-TYPE  C 

ONTROLS),  MAIL  PROTOCOLS 

Yahoo  Mail 

Y 

Y 

Y 

Y 

Google  Mail 

X 

X 

X 

X 

SquirrelMail 

Y 

X 

X 

X 

SquirrelMail/TLS,  SquirrelMail  IPv6 

X 

X 

X 

X 

SquirrelMail  non-standard  port 

X 

X 

X 

X 

Google  Talk  Version  4 

Y 

✓ 

X 

Y 

Google  Talk  Version  6 

X 

X 

X 

X 

AOL  Instant  Messenger 

X 

Y 

Y 

Y 

Lotus  Notes 

X 

X 

X 

Y 

Microsoft  Outlook  Web  Access 

X 

X 

X 

X 

SMTP./25,  SMTP+TLS/25 

Y 

Y 

Y 

Y 

SMTP  non-standard  port  (NSP) 

Y 

X 

Y 

Y 

SMTP+TLS  NSP 

Y 

X 

Y 

X 

SMTPS/465 

X 

Y 

X 

X 

IMAP/143,  IMAP+TLS/143 

Y 

✓ 

Y 

Y 

IMAPS/993 

X 

✓ 

X 

X 

IMAP NSP 

Y 

X 

Y 

X 

1  SOCIAL  NETWORKING,  SERVER  PROTECTING 

Facebook  Read 

Y 

✓ 

Y 

Y 

Facebook  Write 

X 

Y 

Y 

X 

Linkedln  Read 

Y 

Y 

Y 

Y 

Linkedln  Write 

X 

Y 

Y 

X 

Private  label  social  networking 

X 

X 

X 

X 

SharePoint 

Y 

V 

X 

Y 

Exchange 

X 

X 

X 

X 

EVASION,  REMOTE  ACCESS 

Evasion  -  Facebook 

X 

Y 

X 

Y 

Evasion  -  Linkedln 

Y 

X 

X 

Y 

Evasion  -  SharePoint 

Y 

Y 

X 

Y 

Microsoft  Terminal  Services 

Y 

Y 

Y 

Y 

VNC 

Y 

Y 

X 

Y 

IpEER-TO-PEER,  STREAMING  VIDEO/AUDIO 

BitTorrent 

X 

Y 

X 

Y 

YouTube 

X 

Y 

Y 

Y 

Internet  radio 

Y 

Y 

X 

Y 

1  VOIP  AND  VIDEOCONFERENCING,  SOFTWARE  AND  SIGNATURE  UPDATES 

Skype 

X 

Y 

Y 

X 

SIP  voice  over  IP 

Y 

Y 

Y 

Y 

H.323  videoconferencing 

Y 

Y 

Y 

Y 

Apple  Software  Update 

X 

Y 

X 

Y 

Microsoft  Windows  Update 

Y 

Y 

X 

Y 

Sophos  Anti-Virus  Update 

X 

X 

X 

X 

TOTALS 

21 

26 

18 

24 
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user-based  (and  user  group-based)  controls 
in  the  main  firewall  rule  base.  From  there, 
though,  we  found  lots  of  variation.  The  Forti- 
net  approach  integrates  everything  into  a 
single  rule  base,  which  we  found  the  easiest 
to  manage  and  the  most  intuitive  from  a  basic 
security  point  of  view.  This  approach  is  poten¬ 
tially  the  most  powerful  because  it  allows  traf¬ 
fic  to  continue  to  flow  only  when  all  attributes 
match  up,  and  it  allows  you  to  interleave  rules 
with  and  without  application  controls. 

Check  Point  and  SonicWall  broke  the  appli¬ 
cation  rules  out  from  normal  firewall  rules, 
meaning  that  traffic  must  first  pass  through 
the  firewall  rules  and  be  allowed  before  any 


application  controls  come  into  play.  In  the 
Check  Point  model,  application  and  URL 
filtering  rules  are  integrated  into  a  single 
rule  base,  while  SonicWall  has  a  stand-alone 
application  firewall  module. 

Barracuda’s  NG  Firewall  puts  separate 
application  rule  sets  in  its  HTTP  and  HTTPS 
proxy  software.  We  found  this  problematic, 
not  only  because  you  have  to  define  duplicate 
policies,  but  also  because  the  way  that  policy 
definitions  are  created  makes  it  impossible  to 
mix  “pass”  and  “block,”  severely  limiting  the 
flexibility  of  the  engine.  Barracuda  told  us  it 
had  this  slated  for  a  fix  in  Version  5.4. 

Check  Point  and  SonicWall  engineers 


both  defended  their  choices  by  pointing  out 
a  problem  in  application  firewalls:  You  can’t 
decide  what  application  is  being  run  without 
allowing  some  traffic  through  the  firewall, 
including,  perhaps,  traffic  that  the  network 
manager  might  want  to  have  blocked. 

An  example  might  be  helpful.  Suppose  you 
have  a  corporate  policy  that  says  “SMTP  out¬ 
bound  is  allowed  only  on  Port  25.”  Taken  in 
isolation,  this  means  that  you’d  have  to  write 
two  rules,  one  to  allow  SMTP  on  Port  25  and 
the  other  to  block  SMTP  on  all  other  ports. 
Then,  you  could  have  additional  allow  rules, 
such  as  allowing  HTTP  or  IM  outbound  traf¬ 
fic  on  multiple  ports.  The  result  of  this  policy 


SSL  decryption:  SonicWall  delivers 


If  one  of  the  main  advantages  of  a  next-generation  firewall 
is  application  and  protocol  identification  and  control,  then 
SSL  decryption  is  a  basic  requirement.  We  looked  at  the  SSL 
decryption  capabilities  of  the  next-generation  firewalls  to  see 
how  well  they  would  be  able  to  discover  applications,  protocols 
and  URLs  hidden  within  encrypted  connections. 

When  SSL  decryption  is  in  place,  the  firewall  performs  a 
“sanctioned  man-in-the-middle  attack.”  This  means  that  the 
firewall  intercepts  the  SSL  connection  and  performs  a  man- 
in-the-middle  attack  to  decrypt  the  contents.  Because  the 
attack  is  done  with  the  permission  of  the  enterprise,  it’s  called 
"sanctioned.” 

This  requires  that  the  enterprise  have  a  private  certificate 
authority  that  is  trusted  by  all  users  behind  the  firewall,  and  that 
the  certificate  authority  can  issue  a  “signing”  certificate.  The 
signing  certificate  is  loaded  into  the  next-generation  firewall, 
and  for  every  SSL  connection,  the  firewall  generates  a  new 
certificate  in  real  time  and  uses  it  to  secure  the  SSL  connection 
between  the  end  user  and  the  firewall,  replacing  the  original 
certificate.  The  firewall  then  secures  the  connection  using  the 
original  certificate.  Because  the  firewall  is  stacking  together  two 
encrypted  connections,  it  can  see  the  traffic,  unencrypted. 

The  only  next-generation  firewall  we  tested  that  did  a  good 
job  of  SSL  decryption  was  SonicWall.  With  two  check  boxes, 
we  were  able  to  enable  SSL  decryption  and  then  apply  the 
next-generation  firewall  features  to  the  traffic.  Four  more  check 
boxes  enable  antivirus,  anti-spyware,  intrusion  prevention  and 
content  filtering  on  the  SSL  traffic.  The  configuration,  including 
loading  our  own  certificate  authority  certificate,  was  simple 
and  fast,  and  the  decryption  worked.  Additional  features  we 
were  looking  for,  such  as  the  ability  to  exempt  traffic  from 
decryption  by  IP  address,  user  group  or  certificate  common 
name  (such  as  “www.bankofamerica.com”  or  “www.kaiserper- 
manente.org”)  were  no  problem. 

We  also  tested  that  the  SonicWall  system  could  pass  through 
certain  errors  to  clients,  such  as  a  self-signed  certificate  (Soni- 
cOS  figured  that  one  out)  or  a  certificate  that  was  revoked 
by  the  issuer  (not  detected  by  SonicOS),  and  discovered  that 
there  is  still  some  work  to  be  done. 


The  story  was  not  nearly  as  good  with  the  other  firewalls. 
Check  Point’s  Security  Gateway  has  a  more  elaborate  and 
better  thought-out  configuration  system  with  more  bells  and 
whistles.  For  example,  with  the  Security  Gateway  you  could 
exempt  all  domains  in  a  certain  category  (such  as  financial 
services)  from  being  inspected.  The  Security  Gateway  also 
passed  all  of  our  SSL  validation  checks,  detecting  revoked  and 
self-signed  certificates  just  fine.  However,  the  Security  Gateway 
can  only  inspect  HTTP  traffic  on  known  SSL  ports.  This  means 
that  an  application  that  runs  over  non-standard  ports  won’t  be 
inspected,  and  neither  will  any  application  that  uses  a  different 
protocol  —  such  as  email,  instant  messaging  or  file  transfer. 

Fortinet’s  FortiGate  did  a  better  job  at  covering  more  pro¬ 
tocols,  handling  HTTP,  SMTP,  POP3,  FTP  and  IMAP  running 
over  SSL,  but  only  on  known  ports.  Fortinet's  engineers  told  us 
that  the  SSL  decryption  is  linked  to  their  antivirus  transparent 
proxy  system,  which  is  what  kept  it  from  running  across  more 
ports.  But  what  FortiGate  made  up  for  in  coverage,  it  lost  in 
configuration  controls.  There’s  no  way  to  exempt  traffic  from 
decryption  except  by  IP  address,  and  the  FortiGate  let  through 
both  self-signed  and  revoked  certificates,  making  two  invalid 
websites  look  as  if  they  were  well  secured,  even  when  the 
firewall  was  configured  to  block  invalid  SSL  certificates. 

We  were  also  disappointed  in  the  SSL  decryption  capabili¬ 
ties  of  the  Barracuda  NG  Firewall.  Unlike  other  next-generation 
firewalls,  the  NG  Firewall  requires  you  to  explicitly  configure 
HTTP  clients  (no  other  protocol  is  covered)  to  use  the  HTTPS 
proxy  on  the  NG  Firewall.  This  means  that  if  the  client  can  get 
through  the  firewall  without  using  the  proxy  or  can  send  the 
traffic  over  any  other  port,  it  won’t  be  able  to  apply  next-gener¬ 
ation  controls  or  IPS  signatures  to  the  encrypted  traffic,  even  if 
the  traffic  goes  through  the  NG  Firewall.  Barracuda’s  engineers 
told  us  that  this  limitation  will  be  lifted  in  Version  5.4. 

Overall,  the  results  were  disappointing,  since  only  one  prod¬ 
uct,  SonicWall  SonicOS,  supported  what  we  considered  basic 
functionality.  This  suggests  that  the  products  are  still  evolving 
rapidly  to  meet  the  requirements  for  this  new  product  category 
and  that  the  PR  and  marketing  teams  are  moving  a  bit  faster 
than  the  engineers. 
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Check  Point  wins  URL  filtering  tests 

URL  filtering  has  become  a  “check  box"  feature  on  most  unified  threat  man¬ 
agement  firewalls,  and  no  wonder:  It  doesn’t  require  a  lot  of  imagination  to 
do  it  right,  and  it’s  hard  to  really  differentiate  yourself  or  do  a  bad  job  of  it. 
Three  of  the  vendors  tested  —  SonicWall,  Fortinet,  and  Barracuda  —  had  nearly 
identical  interfaces  to  define  URL  filtering  policy.  There  are  some  minor  differ¬ 
ences  —  for  example,  Fortinet  had  a  cute  feature  that  would  limit  the  amount  of 
time  you  could  spend  on  a  category  (“you  can  look  at  sports  pages,  but  only  for 
five  minutes”),  but  generally  there  was  little  difference. 

The  Barracuda  NG  Firewall  had  one  major  flaw,  to  be  fixed  in  v5.4,  which  required 
us  to  set  up  separate  and  independent  policies  for  the  HTTP  and  HTTPS  proxies, 
doubling  the  time  to  maintain  the  policy  and  increasing  the  chance  of  human  error. 

Check  Point  takes  a  very  different  approach  by  integrating  URL  filtering  with 
application  identification  and  control  into  a  single  policy.  Check  Point’s  combina¬ 
tion  of  the  two  tools  is  a  better  way  of  building  a  next-generation  firewall.  URL 
filtering  and  application  controls  are  closely  related  and  overlap  in  many  ways. 

For  example,  blocking  access  to  external  webmail  servers  can  use  both  applica¬ 
tion  identification,  to  find  private  webmail  servers,  and  URL  filtering,  to  find  public 
webmail  servers.  Combining  the  two  techniques  is  better  than  using  just  one. 

Our  anti-malware  testing  really  highlighted  differences  between  the  products 
and  their  approaches  to  scanning  for  viruses  across  broad  categories  of  traffic. 

The  two  stars  of  the  show  here  were  Fortinet,  for  having  the  best  antivirus  engine, 
and  SonicWall,  for  having  the  best  coverage  across  different  types  of  traffic. 

Both  Check  Point  Security  Gateway  and  Barracuda  NG  Firewall  did  poorly  at  the 
task  of  finding  viruses  across  many  different  applications,  although  Check  Point 
Security  Gateway  did  include  a  new  anti-bot  detection  system. 

We  tested  using  a  small  handful  of  recent  viruses  that  we  found  in  the  wild  just 
before  our  testing  started.  Each  of  the  products  had  plenty  of  time  —  more  than  two 
weeks  —  to  update  their  signatures  to  catch  the  viruses  we  used.  FortiGate  caught 
100%  of  the  viruses  we  threw  at  it.  Next  in  line  was  SonicOS,  which  caught  100% 
of  the  viruses  when  we  sent  them  over  HTTP  and  HTTPS  protocols,  but  slightly  less 
when  we  used  FTP,  IMAP  and  SMTP.  Check  Point  Security  Gateway  and  Barracuda 
NG  Firewall  caught  fewer  viruses  in  our  small  sample  (80%  and  90%,  respectively). 

The  more  important  result  was  coverage  across  various  protocols,  and  this  is 
where  SonicWall  shined.  Only  SonicWall  managed  to  find  viruses  no  matter  where 
we  hid  them.  In  configuring  SonicWall  to  catch  malware,  you  don’t  list  specific 
ports,  but  applications  running  on  top  of  those  ports:  HTTP,  FTP,  IMAP,  SMTP, 
POP3,  CIFS  (Microsoft  file  sharing)  and  “everything  else.”  When  we  sent  viruses 
using  common  protocols  through  the  firewall,  the  anti-malware  engine  inspected 
the  traffic.  It  didn’t  catch  each  virus  in  each  scenario,  but  there  were  no  gaping 
holes  where  inspection  didn’t  activate  at  all.  ►  &eCheck Point, page 36 


would  be  that  the  firewall  would  have  to  allow 
all  other  traffic  outbound  to  connect  and 
transfer  data  long  enough  to  decide  whether 
or  not  it  was  SMTP  traffic.  Our  vendor  engi¬ 
neers  were  concerned  that  this  could  easily 
result  in  unintended  consequences  and  inse¬ 
cure  configurations  —  a  reasonable  objection. 

This  is  one  area  where  next-generation  fire¬ 
wall  vendors  are  still  finding  their  way.  We 
think  that  Fortinet  is  on  the  right  track  here, 
but  since  this  is  an  open  area  of  discussion,  we 
did  not  include  it  in  our  scorecard. 

Next-gen  visibility 

Knowing  what’s  happening  on  your  network 
is  a  prerequisite  to  controlling  the  traffic.  We 
call  that  “visibility”  because  it  combines  all  of 
the  information  the  firewall  knows,  including 
session  and  application  information,  traffic 
volumes  and  rate  information,  into  a  way  to 
“see”  into  your  network  —  to  give  you  visibility. 

In  a  traditional  firewall,  visibility  is  a  nice- 
to-have,  because  security  policy  dictates  what 
ports  are  allowed  inbound  and  outbound  and 
other  tools,  such  as  NetFlow  analyzers,  can  be 
used  to  dig  into  traffic.  In  next-generation  fire¬ 
walls,  where  the  emphasis  is  on  controlling 
application  usage,  visibility  is  a  requirement. 

Applications  may  have  many  different 
names  and  categories,  and  compared  to  ports 
and  IP  addresses,  we  found  tremendous 
variation  and  ambiguity.  Without  visibility 
and  knowing  how  the  firewall  classifies  each 
application  it  identifies,  you  can’t  write  the 
rules  that  make  a  next-generation  firewall 
“next-generation.” 

We  quickly  found  that  if  you  want  good 
reporting,  you  need  to  have  an  external 
device  to  do  it.  SonicWall  and  Fortinet  both 
have  internal  reporting  engines;  both  engines 
had  problems  during  our  testing,  which  was 
entirely  expected  by  the  on-site  engineers. 

Fortunately,  all  products  have  off-box 
reporting  engines  that  are  critical  to  offer¬ 
ing  next-generation  visibility.  Check  Point 
customers  are  not  off  the  hook  here  either, 
because  the  standard  Check  Point  reporting 
system  won’t  do  —  you  really  must  add  on 
the  optional  SmartEvent  to  get  the  visibility 
required  for  next-generation  firewalls. 

Fortinet  FortiGate  and  Check  Point  Secu¬ 
rity  Gateway  (SmartEvent)  gave  us  the  best 
visibility  into  our  traffic,  with  a  combination 
of  drill-downs,  visual  reporting  including 
charts,  lists  and  “top-10”  type  lists.  FortiGate’s 
on-box  dashboard  was  an  especially  slick  visu¬ 
alization  tool,  which  let  us  add  “widgets”  that 
included  mini-reports  that  were  constantly 
updated.  FortiGate’s  dashboard  wasn’t  just  a 
visualization  tool,  because  it  included  the  abil¬ 
ity  to  drill-down  to  get  additional  information. 


Our  only  complaint  about  the  dashboard  is 
that  the  display  tool  crashed  in  our  browser 
several  times  during  testing. 

The  FortiGate  reporting  engine  is  based  on 
an  SQL  database  and  Fortinet  isn’t  shy  about 
exposing  the  internals  of  the  database.  All 
reports  are  configured  within  the  firewall 
and  you  can  easily  get  to  the  raw  SQL  used  to 
generate  the  results.  If  you’re  the  type  of  net¬ 
work  manager  who  wants  a  lot  of  very  custom 
reports,  but  don’t  want  to  extract  the  data  and 
dump  them  into  your  own  database,  Forti- 
net’s  approach  will  be  very  attractive. 


SonicWall  and  Barracuda  also  have  good 
visibility  tools,  but  we  found  them  weaker 
than  what  Fortinet  and  Check  Point  offered. 
SonicWall  confuses  the  issue  a  bit  by  having 
four  separate  visibility  tools,  ranging  from 
the  on-box  tools  (only  suitable  in  very  small 
environments)  to  their  enterprise-class  man¬ 
agement  system,  SonicWall  GMS. 

We  looked  at  GMS,  and  were  disappointed 
to  see  that  there  isn’t  feature  parity  between 
the  on-box  reporting  and  the  high-end  GMS. 
For  example,  in  on-box  reporting  you  can  gen¬ 
erally  drill  down  to  individual  log  entries,  and 
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then  go  directly  to  policy  editing  if  you  want.  With 
GMS,  you  can  drill  down,  but  if  you  want  to  change 
policy,  you’ll  have  to  go  find  the  affected  rule  your¬ 
self  before  you  can  start  editing  it. 

Visibility  isn’t  just  reporting  and  top-10  lists; 
you  also  might  want  to  look  at  what  is  happening 
in  the  firewall  right  at  this  moment.  Instantaneous 
reporting  is  a  weakness  of  most  firewalls,  but  we 
found  a  great  reporting  screen  in  the  Barracuda 
NG  firewall  that  let  us  see  open  connections  flow¬ 
ing  through  the  firewall  in  real  time. 

Overall,  we  think  that  the  visibility  tools  we 
found  offer  a  good  start  into  what  is  needed  for 
next-generation  firewalls.  All  of  the  products 
have  slightly  different  approaches,  but  it  was  clear 
that  an  off-box  reporting  engine  is  a  minimum 
requirement. 

Fortinet’s  FortiGate  FortiAnalyzer  and  Check 
Point  Security  Gateway  SmartEvent  led  the  pack, 
with  Barracuda  NG  Firewall  and  SonicWall  Soni- 
cOS  falling  slightly  behind. 

Taking  action 

Another  area  we  looked  at  was  the  action  options. 
In  our  testing,  we  simply  asked  the  firewalls  to  block 
traffic.  But  in  the  case  of  Web-based  applications, 
the  network  manager  might  want  to  intercept  the 
request  and  display  a  page  to  the  end  user  indicat¬ 
ing  that  security  policy  prohibited  the  transaction. 

The  Check  Point  Security  Gateway,  which  inte¬ 
grated  URL  filtering  with  application  identification, 
was  the  only  product  that  included  this  feature.  The 
Security  Gateway  actually  goes  further  than  that, 
allowing  the  next-generation  application  identifi¬ 
cation  rule  to  have  an  action  that  displays  the  “page 
blocked”  message  while  allowing  the  user  to  click  on 
through  after  acknowledging  a  warning. 

We  found  other  options  as  well.  For  example, 
SonicWall  and  Fortinet  let  an  application  rule 
apply  some  QoS  settings,  such  as  limiting  traffic 
or  guaranteeing  traffic.  Both  also  allow  an  action  of 
“log  packets”  to  save  a  transaction  for  later  analysis. 

When  it  comes  to  actually  identifying  and  block¬ 
ing  applications,  we  would  prefer  a  hypothetical 
product  mixing  two  of  the  devices  we  tested:  the 
SonicWall  SonicOS  engine  configured  by  the 
Check  Point  Security  Gateway  management  sys¬ 
tem.  In  the  absence  of  such  a  mythical  beast,  Sonic¬ 
Wall  did  the  best  job  of  identifying  and  controlling 
applications,  but  we  found  room  for  improvement 
in  everything  we  tested.  ■ 

Snyder,  a  Network  World  Test  Alliance  partner,  is 
a  senior  partner  at  Opus  One  in  Tucson,  Ariz.  He 
can  be  reached  at  Joel.Snyder@opusl.com. 


'  ©  Go  online  for  sections  on  IPS  UTM  and 
basic  firewall  functionality,  tinyurl.com/d7ff9nk 


►  Palo  Alto,  from  page  29 

ment  system,  which  is  frustratingly  slow  when  applying  changes. 

Visibility,  showing  you  what  is  happening  on  your  network,  is  another  area 
where  Palo  Alto's  PA-5060  shined  in  our  test.  Starting  from  scratch  with  the 
goal  of  next-generation  visibility  gave  Palo  Alto  a  big  leg  up,  and  the  PA-5060 
came  out  of  the  starting  gate  with  an  outstanding  visibility  tool,  setting  the 
standard  for  this  category.  While  Check  Point  has  some  great  features  in 
SmartEvent,  the  prize  for  accessible  visibility  has  to  go  to  Palo  Alto. 

We  didn't  test  the  PA-5060’s  SSL  decryption  capabilities  as  systemati¬ 
cally  as  we  did  the  products  in  this  test,  but  because  the  PA-5060  has  an 
architecture  more  like  SonicWall,  with  virtually  unlimited  SSL  decryption,  we 
expect  it  would  have  also  landed  at  the  top  of  the  list  with  SonicWall. 

When  it  comes  to  UTM  features,  the  Palo  Alto  PA-5060  can  be  compared 
more  closely  to  the  products  we  tested.  When  it  comes  to  IPS  coverage, 
the  PA-5060  turned  in  scores  in  the  low  90%  range,  putting  it  up  near  the 
high  scorers  in  our  IPS  testing.  For  the  antivirus/anti-malware  testing,  the 
PA-5060  fit  more  in  the  bottom  of  the  range  of  our  testing. 

We  stand  by  our  original  PA-5060  test  headline  back  in  August:  "Palo  Alto 
earns  short  list  status.”  If  you  are  considering  replacing  your  firewall  to  gain 
next  generation  features,  Palo  Alto  remains  a  credible  contender. 


►  Check  Point,  from  page  34 

The  FortiGate  anti-malware  engine  works  great,  but  would  only  inspect 
traffic  on  ports  we  explicitly  listed.  This  means  that  a  web  server  on  a 
common  port,  say  port  80  or  443,  would  be  inspected  just  fine.  However, 
if  someone  on  the  Internet  had  a  web  server  with  some  malware  on  a  non¬ 
standard  port,  such  as  81,  then  the  FortiGate  wouldn’t  catch  it.  Your  alterna¬ 
tives  are  to  block  non-standard  ports  —  a  sure  recipe  to  unhappy  users  and 
a  poor  workaround  —  or  to  have  a  hole  in  your  security  coverage. 

The  Check  Point  Security  Gateway  was  undergoing  rapid  change  in  the  area 
of  anti-malware  when  we  tested  it,  and  so  our  results  may  not  be  representa¬ 
tive  of  the  final  status  when  version  R75.40  of  the  software  is  finally  released. 
Check  Point  told  us  that  it  was  working  with  its  anti-malware  engine  supplier 
to  achieve  higher  catch  rates,  but  that  some  of  our  test  scenarios,  such  as 
IMAP  and  SMTP  over  TLS,  would  not  be  supported  even  in  the  final  release. 

One  of  the  anti-malware  features  Check  Point  offered  that  we  didn’t  see 
in  the  other  products  was  anti-bot  protections.  If  anti-malware  works  to  pre¬ 
vent  infections,  Check  Point’s  anti-bot  protection  is  designed  to  catch  post¬ 
infection  behaviors  such  as  command-and-control  channels  and  attempts  to 
spread  the  infection  or  send  spam.  We  didn’t  test  the  anti-bot  protections, 
since  none  of  the  other  vendors  offered  this  feature. 

We  had  a  more  difficult  time  testing  the  NG  Firewall’s  anti-malware 
features  because  it  uses  proxies  to  handle  virus  scanning.  Barracuda  told  us 
many  of  the  issues  we  saw  in  this  part  of  our  testing  will  be  resolved  in  v5.4. 

In  the  case  of  HTTP  traffic,  the  NG  Firewall  transparently  intercepts  the 
traffic  as  long  as  it’s  on  a  standard  port.  For  HTTPS  traffic,  the  NG  Firewall 
must  be  manually  configured  as  a  secure  proxy  —  unlike  the  rest  of  the 
products  we  tested  —  so  we  had  to  change  our  testing  methodology  just  to 
get  the  firewall  to  scan  the  HTTPS  traffic. 

We  ran  into  different  issues  trying  to  get  the  Barracuda  NG  Firewall  to 
scan  mail  traffic.  This  only  works  if  the  firewall  is  used  as  a  mail  gateway. 

When  it  comes  to  picking  the  best  anti-malware,  SonicWall  and  Fortinet 
turned  in  the  best  results  in  our  filtering,  but  we  think  that  the  Check  Point 
Security  Gateway's  anti-bot  feature  and  unified  URL  filtering  and  application 
control  features  gives  it  a  slight  advantage. 
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Enter  to  win  one  of  seven  Back-UPS  BR  700G  (a  $130  value)! 

Visit  www.apc.com/promo  Key  Code  n815v  •  Call  888-289-APCC  x8399  •  Fax  401-788-2797 


by  Schneider  Electric 


02012  Schneider  Bectric.  All  Rights  Reserved.  Schneider  Electric,  APC,  Back-UPS,  and  Legendary  Reliability  are  trademarks  owned  by  Schneider  Electric  Industries  SAS  or  its  affiliated 
companies.  All  other  trademarks  are  property  of  their  respective  owners,  email:  esupport@apc.com  •  132  Fairgrounds  Road.  West  Kingston,  Rl  02892  USA  •  998-251 1 -US 


What's  at  risk  if  bad  power  damages 
your  business  network? 


Only  APC  Back-UPS  delivers  unsurpassed 
power  protection  and  real  energy  savings. 


Keep  your  electronics  up 
and  your  energy  use  down! 


Today's  cost-saving  Back-UPS 

For  years  you’ve  relied  on  APC  Back-UPS™  to  protect  your  business  from  expensive 
downtime  caused  by  power  problems.  Today,  the  reinvented  Back-UPS  does  even  more. 
Its  highly  efficient  design  noticeably  reduces  energy  use,  so  you  start  saving  money  the 
minute  you  plug  it  in.  Only  APC  Back-UPS  guarantees  to  keep  your  electronics  up  and 
your  energy  use  down! 

Unique  energy-efficient  features 

Power-saving  outlets  automatically  shut  off  power  to  unused  devices  when  your 
computer  and  peripherals  are  turned  off  or  on  standby.  Automatic  voltage  regulation 
(AVR)  adjusts  the  undervoltages  and  overvoltages  without  using  the  battery.  With 
our  patent-pending  AVR  bypass,  the  transformer  kicks  in  only  when  needed  and 
automatically  deactivates  when  power  is  stable.  Plus,  the  APC  highly  efficient  designs 
reduce  power  consumption  when  power  is  good  and  extend  runtimes  when  the  lights 
go  out.  Together,  these  power-saving  features  eliminate  wasteful  electricity  drains,  saving 
you  about  $40  -  $50  a  year.  And  managing  today’s  Back-UPS  couldn’t  be  easier  thanks 
to  an  integrated  LCD  that  provides  diagnostic  information  at  your  fingertips. 

Trusted  insurance  for  all  your  business  needs 

The  award-winning  Back-UPS  provides  reliable  power  protection  for  a  range  of 
applications:  from  desktops  and  notebook  computers  to  wired  and  wireless  networks  to 
external  storage.  The  reinvented  APC  Back-UPS  is  the  trusted  insurance  you  need  to  stay 
up  and  running  and  reliably  protected  from  both  unpredictable  power  and  energy  waste! 


APC  power  protection 
products  are  available  at: 


OfficeMax 


Office  depot 


Back-UPS  models  are  available  with  the  features  and  runtime 
capacity  that  best  suit  your  application,  and  many  models  have 
been  designed  with  power-saving  features  to  reduce  costs. 

The  high-performance  back-UPS  Pro  Series 

High-performance  Back-UPS  Pro  units  deliver  cost-cutting,  energy-efficient 
features.  Power-saving  outlets  automatically  shut  off  power  to  unused  devices 
when  your  computer  and  peripherals  are  turned  off  or  on  standby,  eliminating 
costly  electricity  drains.  (BR700G  shown  above) 


The  energy-efficient  ES  750G 
The  ES  750G  boasts  innovative  power-saving  outlets, 
which  automatically  shut  off  power  to  controlled 
outlets  when  the  computer  plugged  Into  the 
host  outlet  is  deemed  asleep,  eliminating  wasteful 
electricity  drains. 

•  10  outlets 

•  450  watts/750  VA 

•  70  minutes  maximum  runtime 

•  Coax  and  telephone/network  protection 


The  best-value  ES  550G 
The  ES  550  uses  an  ultra-efficient  design  that 
consumes  less  power  during  normal  operation 
than  any  other  battery  backup  in  its  class,  saving 
you  money  on  your  electricity  bill. 

•  8  outlets 

•  330  watts/550  VA 

•  43  minutes  maximum  runtime 

•  Telephone  protection 
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Alert  notifications  via  Email,  SMS, 
^  SNMP  &  Voice  call 


Trigger  backup  tans  or  A/C  on  alarm 


Wide  range  of  Environmental 
Monitors  available  starting  at  $199 


ITWatchDogs 


512-257-1462 

sales@itwatchdogs.com 

www.itwatchdogs.com 
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SENSAPHONE 


Sensaphone  Remote  Monitoring  Products 

use  redundant  communication  paths,  built  in  battery 
backup,  and  supervised  sensors  to  make  sure  that  when 
something  goes  wrong  in  your  computer  room 
you  get  the  message. 


Notification  Via: 

•  Voice  Phone  Call  •  E-Mail 

•  Text  Message  •  SNMP  Trap 

•  Pager  •  Fax 


Get  your  FREE  application  guide  now 


SENSAPHONE 

REMOTE  MONITORING  SOLUTIONS 


877-373-2700 

www. sensaphone.com 
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•  Supports  MS  Office  through  2010  (Word,  Excel,  PowerPoint, 
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With  dtSearch:  "Endless 
indexing  is  now  a  breeze" 
Computerworld 


•  Supports  Exchange,  Outlook,  Thunderbird  and  other 
popular  email  types,  including  nested  and  ZIP  attachments 

•  Spider  supports  static  and  dynamic  web  data  like  ASP.NET, 
MS  SharePoint,  CMS,  PHP,  etc. 

•  API  for  SQL-type  data,  including  BLOB  data 

25+  full-text  and  fielded  data  search  options 

•  Federated  searching 

•  Special  forensics  search  options 

•  Advanced  data  classification  objects 


APIs  for  C++,  Java  and  .NET  through  4.x 

•  Native  64-bit  and  32-bit  Win  /  Linux  APIs;  .NET  Spider  API 

•  Content  extraction  only  licenses  available 


"Impressive  searching 
power ...  handles  more 
than  a  terabyte  of  text  in 
a  single  index" 

Network  World 


"Lightning  fast  ... 
performance  was 
unmatched  by  any  other 
product" 

Redmond  Magazine 
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reviews  and  developer 
case  studies,  see 
www.dtSearch.com 
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You  want  the  world’s  most  reliable  power  distribution  units.  You  also 
OyfeiF  want  data  center  power  monitoring,  management  and  analytics,  for  multiple 
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^91  entire  PDU  network  from  a  user  friendly  dashboard.  You  need  Server  Tech’s 

H  Sentry  Power  System. 
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Sentry  Power  Manager  to  give  you  one  incredible  critical  system.  Featuring  our 
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■ill  The  new  Sentry  Power  System™. 
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Thwarting  employer  Facebook  snoops 


IF  YOUR  employer  or  a  potential  employer 
asked  you  to  hand  over  the  keys  to  your 
house  so  they  could  search  your  posses¬ 
sions  looking  for  something  unspecified,  I  suspect  you  would  be  a  little 
surprised  and  not  a  little  outraged.  Well,  over  the  last  few  months  there 
have  been  a  significant  number  of  reports  of  employers  and  colleges 
doing  the  digital  equivalent  of  asking  for  your  house  keys  by  request¬ 
ing  Facebook  passwords  from  employees,  applicants  and  students. 

For  example,  a  widely  reported  Associated  Press  story  covered  how 
a  statistician,  Justin  Bassett,  applied  for  a  job  in  New  York  and,  because 
the  interviewer  couldn’t  see  his  private  profile  on  Facebook,  asked  him 
to  divulge  his  login  information.  Bassett  not  only  refused,  he  withdrew 
his  application  saying  “he  didn’t  want  to  work  for  a  company  that 
would  seek  such  personal  information.” 

Well  done,  Mr.  Bassett,  but,  alas,  given  the  current  unemployment 
rate,  not  everyone  can  afford  to  stand  up  for  their  rights. 

In  some  cases,  instead  of  asking  for  account  passwords,  employers 
ask  to  “shoulder  surf.”  According  to  MSNBC,  “In  Maryland,  job  seek¬ 
ers  applying  to  the  state’s  Department  of  Corrections  have  been  asked 
during  interviews  to  log  into  their  accounts  and  let  an  interviewer 
watch  while  the  potential  employee  clicks  through  wall  posts,  friends, 
photos  and  anything  else  that  might  be  found  behind  the  privacy  wall.” 

The  least  intrusive  but  still  unacceptable  form  of  monitoring  is  to 
demand  that  employees  accept  Facebook  friend  requests  from  man¬ 
agement  so  the  subject’s  social  activity  can  be  observed. 

What  I  can’t  figure  out  is,  who  comes  up  with  these  policies?  Who, 
sitting  in  their  office,  pondering  the  issues  of  potential  staff  or  student 


misbehavior,  thinks  to  themselves,  “That’s  it!  We  need  to  be  as  intru¬ 
sive  and  coercive  as  possible!”?  You  have  to  wonder  what  comes  next  ... 
mandatory  cavity  searches  on  entering  and  leaving  work? 

I  suspect  the  reason  these  various  organizations  are  so  willing  to 
overreach  in  the  digital  world  is  that  it’s  easy,  and  obviously  the  “group 
think”  driving  their  decision-making  lacks  any  ethical  or  moral  basis. 

Real-world  monitoring  is  hard  to  do,  it’s  expensive,  and  there  are 
laws  that  prohibit  such  invasive  intelligence  gathering,  while  monitor¬ 
ing  social  media  is  very  easy  to  do,  comparatively  cheap,  and  there’s 
little  in  the  way  of  legislation  to  stop  it. 

This  situation  is  wrong  in  so  many  ways,  so  it  was  with  great  plea¬ 
sure  I  read  that  on  April  27  Rep.  Eliot  Engel  (D-N.Y.)  introduced  the 
Social  Networking  Online  Protection  Act,  or  SNOPA,  which  is  similar 
to  a  bill  passed  in  Maryland  last  month. 

SNOPA  would  make  it  illegal  for  an  employer  or  school  to  require 
you  to  provide  your  Facebook,  Twitter,  or  other  social  network  pass¬ 
words  during  the  hiring  process  or  as  a  term  of  your  employment,  and 
the  penalty  for  violations  would  be  $10,000  per  incident. 

Needless  to  say,  SNOPA  is  a  work  in  progress .  Getting  the  bill  passed 
could  be  tricky  and  campaigns  in  support  of  SNOPA  will  emerge  so 
that,  we,  the  great  unwashed,  can  show  our  support  for  what  will  be 
groundbreaking  legislation  that,  for  once,  will  protect  rather  than 
weaken  our  digital  rights.  This  is  a  bill  that  you  have  to  support  if  you 
believe  in  your  right  to  privacy  online.  ■ 

Gibbs  is  private  in  Ventura,  Calif.  Contact  him  discreetly  at 
backspin@gibbs.com  and  follow  him  on  Twitter  (@quistuipater). 
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YOU’LL  HAVE  to  go  to  Buzz- 
blog  (tinyurl.com/cjn614h)  if 
you  want  to  see  Steve  Jobs  play¬ 
fully  portraying  Franklin  Delano  Roosevelt,  right  down  to 
the  cigarette  holder  —  it’s  there  in  all  of  its  20-second  glory. 

That  clip  is  from  an  eight- and- a-half-minute  film  entitled 
“1944,”  also  on  the  blog,  that  was  Apple’s  in-house  takeoff  on 
"1984,”  the  iconic  first  Macintosh  TV  ad  that  caused  a  sensa¬ 
tion  during  that  year’s  Super  Bowl.  Set  as  a  World  War  II  tale  of  good 
vs.  IBM,  it  is  a  broadcast-quality  production  (said  to  have  cost  $50,000) 
that  was  designed  to  fire  up  Apple’s  international  sales  force  at  a  1984 
meeting  in  Hawaii. 

A  copy  of  “1944”  was  provided  to  me  by  onetime  Apple  employee 
Craig  Elliott,  formerly  the  head  of  Packeteer  and  now  CEO  of  Pertino 
Networks,  a  cloud-computing  startup  two  blocks  from  Apple  in  Cuper¬ 
tino.  Elliott,  who  worked  at  Apple  from  1985  to  1996,  says  he  has  “never 
seen  (the  film)  anywhere  else”  and  that  there  had  been  “no  additional 
circulation”  as  far  as  he  knows.  I  couldn’t  find  it  online,  either  —  the 
year  1984  was  pre-World  Wide  Web,  of  course  —  but  that  doesn’t  mean 
it  wasn’t  out  there.  (It’s  been  widely  circulated  since  the  blog  post.) 

Two  snippets  from  “1944,”  without  any  dialogue,  also  appear  in 
another  Jobs  video  —  a  photo-montage  tribute  to  him  made  by  Apple 
employees  to  mark  his  30th  birthday.  After  Jobs  died  last  October, 
Elliott  posted  that  birthday  video  to  his  Facebook  page,  from  where  it 
went  viral  before  being  knocked  off  the  ’Net  by  Sony  Music  Entertain¬ 
ment  because  it  used  a  Bob  Dylan  song. 

The  connections  between  “1984”  and  “1944”  were  a  bit  on  the 


ham-handed  side,  as  might  be  expected  with  this  type  of 
production. 

Anyone  who’s  seen  the  TV  commercial  no  doubt  will 
recognize  in  “1944”  the  reprised  role  of  the  female  hammer 
thrower,  although  I’m  not  sure  if  it’s  actually  Anya  Major 
from  “1984.”  And,  if  you  recall,  Apple’s  famous  ad  ended 
with  a  narrator  intoning:  “On  Jan.  24,  Apple  Computer  will 
release  Macintosh.  And  you’ll  see  why  1984  won’t  be  like 
1984.’”  This  motivational  film  begins:  “On  Jan.  24, 1984,  Apple  Com¬ 
puter  introduced  Macintosh.  And  we  saw  why  1984  was  like ...  1944.” 

While  professional  actors  play  the  key  roles  in  “1944,”  there  are  other 
Apple  employees  besides  Jobs  on  screen,  including  Mike  Murray,  then 
vice  president  of  marketing,  as  The  General.  Because  allegations  that 
Macintosh  lacked  software  had  dogged  Apple  prior  to  its  release,  the 
film  takes  pains  in  several  places  to  counter  that  criticism,  including  pur¬ 
ported  pledges  of  support  from  Microsoft’s  Bill  Gates,  as  well  as  Mitch 
Kapor  of  pre-I  BM  Lotus  Development  Corp.  The  crate  smashed  open  by 
the  hammer  thrower  in  the  film  spills  a  pile  of  software. 

Here’s  what  Jobs  says  into  a  telephone  in  his  big  FDR  scene: 

“General,  you  and  your  brave  fighting  force  have  a  rendezvous  with 
destiny.  Your  battle  will  be  long,  it  will  be  hard,  but  it  will  be  won.  I  am 
sure  your  victory  will  be  great.” 

He  then  hangs  up  the  phone,  turns  toward  the  camera,  drops  an 
awful  FDR  voice  and  grins:  “Insanely  great.” 

You’ve  got  to  see  it.  ■ 

Been  hoarding  a  long-lost  Apple  video?  The  address  is  buzz@nww.com. 
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Watch  Steve  Jobs  play  FDR  in  Apple  film 
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Building  the  engines  of  a  Smarter  Planet: 

Our  cloud  takes  care  of  the  work. 
You  take  care  of  your  business. 

As  IT  budgets  shrink,  it's  even  harder  for  midsize  businesses  to  manage  IT  resources  and  quickly  respond  to  change. 
That’s  why  IBM  SmartCloud™  solutions  are  flexible,  cost  effective  and  offer  access  to  security-rich  virtual  server 
environments— benefits  that  help  any  business  innovate  and  reach  markets  fast.  And  whether  the  solution  is  delivered 
over  a  public,  private  or  hybrid  cloud,  IBM  and  its  Business  Partners  can  help  midsize  businesses  take  all  or  part 
of  their  IT  infrastructure  to  the  cloud,  and  their  business  even  higher.  Choose  IBM  SmartCloud  to: 


Help  improve  productivity. 

By  provisioning  new  machines  and  gaining 
instant  access  to  new  resources  and 
software,  businesses  are  always  ready  to 
adapt  to  a  changing  marketplace. 


Use  resources  more  effectively. 

IBM  can  identify  areas  that  can  be  moved 
to  the  cloud,  quickly  freeing  up  skilled 
IT  staff  to  work  on  higher-value  initiatives. 


Reduce  IT  costs. 

Using  pay-as-you-go  with  IBM  SmartCloud 
can  help  reduce  the  need  to  invest  in  new 
hardware  and  cut  IT  infrastructure  costs  by 
up  to  50%? 


Partner  with  experts. 

IBM  and  its  Business  Partners  have 
decades  of  experience  in  providing 
consulting  and  integration  services  for  the 
most  complex  of  data  centers. 


IBM  SmartCloud  Enterprise 


Flexible  pricing  estimated,  starting  around 

$56  per  month 


To  connect  with  an  IBM  Business  Partner, 

call  1-877-IBM-ACCESS  or  visit  ibm.com/engines/cloud 

Midsize  businesses  are  the  engines  of  a  Smarter  Planet. 
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It's  not  just  a  wool  cap. 
It's  an  opportunity. 


Opportunities  are  created  and  protected 
in  the  AT&T  network. 

In  here,  vendor  access  is  secure. 

Communications  are  simple  and  safe.  Retail 
transactions  are  protected  -  online  and  in-store. 

As  demand  spikes,  stores  and  suppliers  can 
react  instantly.  From  any  device, 
anywhere  in  the  world,  buyers  can  contact  suppliers 
securely  to  get  what  they  need  overnight. 
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Rethink  Possible 
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